There are plenty of good technical overviews of the Heartbleed vulnerability (including a great overview by XKCD). The security impacts of this issue have been covered well by people far smarter than me. But I feel the need to pile on to reports that the NSA has known about this vulnerability and exploited it for years, if this is indeed true.
Nowhere are the conflicting goals of an agency like the NSA painted in such stark relief as here: to protect Americans against exploitation and cyber threats, while also gathering information about our enemies. When these goals are in direct competition, the protection of our own citizens has to take precedence. To do otherwise is the equivalent of knowing about a fatal flaw in a car but keeping that from the public in the hopes that one of our enemies will use that car and die as a result of that flaw. Too many innocent people are affected by such callous policies, regardless of how much national security importance we ascribe to such outcomes.
In the case of the Heartbleed vulnerability, more and more of our country’s economic power involves e-commerce that depends on fundamental protocols like SSL. To know about a vulnerability that puts literally millions of people and billions of dollars at risk, and to do nothing, is a government failing of incredible magnitude.
Although I understand the need to gather intelligence, I think it is clear that the NSA has gotten lazy, preferring to rely on easily-exploitable vulnerabilities that they hope won’t be discovered and fixed instead of building up our human intelligence programs. Assuming the technological backdoors will always be there, and will only be used by the good guys, is dangerously naïve. Even more so, however, I’d rather live in a world with less intelligence interception but fewer security flaws in the tools I use on a daily basis than vice versa. The more people hear about how the NSA handles issues like these, the more they will likely agree.