Two years ago, the government has been using “heart blood” vulnerability to collect user data


in the “heart blood” loopholes still let Internet companies and ordinary users in the heart, bloomberg has to throw a blockbuster. It is reported that the national security agency as early as in 2012, is the first time found that “heart blood”, has mastered the vulnerability information. Unfortunately, the Obama administration is not in time will be announced the news. More unacceptable is that the government will also this vulnerability as a collection, monitoring, one of the user’s network data.

SSL standard contains the heartbeat option, let the computer send short message at the end of the SSL connection (heartbeat) to confirm that another computer is still in the state of network and get a reply. The researchers found that send disguised malicious heartbeat information induces the SSL connection at the other end of the computer the possibility of it secret information. Opportunity was tempted to transfer the server that is to say, the contents of the memory, the content contains a large number of private information, including login even password, etc. So the OpenSSL vulnerabilities are vividly described as “bleeding heart” (heart bleed).

after the news shocked the world, the national security agency on Twitter immediately tone firmly is often ambiguous words (ever) responded: “the security service in the industry before disclosure ‘dirty bleeding heart, don’t know this loophole.”

‘s response to the government, analysts generally skeptical.

in the first place, the NSA on data collection and monitor every year spend up to $1.6 billion, thousands of times more is OpenSSL open source project. As a widely used Internet file transfer protocol standard, there is such a serious breach of, government hindsight after professional organization can’t be true.

second, the New York times reported in the news broke that shortly, the Obama administration passed a bill in January this year, the national security agency should find its network vulnerability safety problems such as telling people publicly. But for some obvious need or is to protect national security, the government can to some holes remained silent, and reasonable use.