I don't listen to that conspiracy nut. I personally think the problem was the "open" in Open SSL.
Um, no? The problem was someone accidentally forgetting the number one rule of security programming: validate all input.
I wish all sites just used AES+Twofish. It's fast anyway and free! Why can't sites use just AES? I've seen my bank and a few others use AES, but most use RC4. Bah
Erm...
First, AES is available for use in TLS. Second, which block cipher the server negotiates with the client to use is
completely irrelevant here because Heartbleed has
absolutely nothing to do with encryption.
TLS supports something called a "heartbeat", which is basically a "hey, are you still there?" to prevent the connection from timing out. I say to you, "Monkeys!", and you echo that back to me, and I know that you're still on the line with me.
The Heartbleed bug is the server not validating the the heartbeat input, thus causing it to including more data than it should in its return echo. I say to you, "Monkeys!" and tell you that you're supposed to echo back something two paragraphs long, and you didn't bother to check that my "Monkeys!" isn't actually two paragraphs long, so you echo back to me two paragraphs that consists of my "Monkeys!" and some random other words that you happened to have lying around to fill my two-paragraph request. And that extra data is basically random--it might be useless garbage, or it might be a chunk from a recent transmission from someone else containing sensitive data. That's it. None of the cryptographic bits were involved; the vulnerable code is
completely unrelated to any of the cryptographic components.