NSA Details Heartbleed "Mitigations" In New Report
Amidst the Heartbleed bug hoopla this month was a claim the NSA knew about and actively exploited the vulnerability, something the agency soon denied. Apparently in line with that claim, the spy agency has now posted its own list of methods for dealing with the security problem.
The published report is short and sweet — only comprising half of a single page. Affected servers and clients are being told to upgrade, download a software update with a fix to the problem, and to revoke and reissue certificates and credentials after an update is made available.
Of course, this information is nothing new. We've previously detailed the bug — what it is, what it means, and what you should do — as well as a short three-step guide to taking action in light of the Heartbleed bug.
President Obama reportedly recently told the National Security Agency that major vulnerabilities like Heartbleed should be made known, not exploited in secret. The NSA had previously stated that it would have made the issue known, had it known about the bug. "It is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose."
SOURCE: NSA