Has the NSA Been Using the Heartbleed Bug as an Internet Peephole?

When ex-government contractor Edward Snowden exposed the National Security Agency’s widespread efforts to eavesdrop on the internet, encryption was the one thing that gave us comfort.

Even Snowden touted encryption as a saving grace in the face of the spy agency’s snooping. “Encryption works,” the whistleblower said in June 2013. “Properly implemented strong crypto systems are one of the few things that you can rely on.”

But Snowden also warned that crypto systems aren’t always properly implemented. “Unfortunately,” he said, “endpoint security is so terrifically weak that NSA can frequently find ways around it.”

Since the Heartbleed bug has existed for two years, it raises obvious questions about whether the NSA or other spy agencies were exploiting it before its discovery. Now that caveat has hit home -- in a big way -- when researchers revealed Heartbleed, a two-year-old security hole involving the OpenSSL software many websites use to encrypt traffic.

“It would not at all surprise me if the NSA had discovered this long before the rest of us had,” Matt Blaze, cryptographer and computer security professor at the University of Pennsylvania says. “It’s certainly something that the NSA would find extremely useful in their arsenal.” So far, though, there’s no evidence to suggest this is the case. For one thing, the bug did not affect every website.