Canada Revenue Agency is just one of countless organizations affected by the Heartbleed bug (photo by John Bristowe via Flickr)

Heartbleed: what the bug means for you

Canadians planning to file their taxes online today were able to postpone the dreaded task for a day, after the Canada Revenue Agency shut down its online services temporarily over security concerns raised by the discovery of a serious security flaw known as the Heartbleed bug.

If you've noticed a website switch from http to https, that was an indication the site was using a secure protocol. Most of the world's web servers  including those used by the Canada Revenue Agency – provide this protection using a software library called OpenSSL. This week, experts discovered a vulnerability in OpenSSL believed to have existed for years. Not a malicious virus, rather a flaw in the library, this bug known as Heartbleed now has organizations around the world working to secure their services. 

Writer Jelena Damjanovic spoke to Seth Hardy, senior security researcher from the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, about the threat posed by the bug and measures we can take for protection.

What is the Heartbleed bug?
Heartbleed is an implementation bug in OpenSSL, which is a cryptographic library used to secure the web, email, IM, and other services on the Internet. This is a major bug – it has been estimated by researchers at Codenomicon that OpenSSL runs on about two-thirds of the world's web servers.

Why should we be concerned about it?
The bug allows an attacker to read the memory of a server using a vulnerable version of OpenSSL. This may include usernames and passwords, other data being protected, or even the cryptographic keys that allow all secure data to that computer to be decrypted. Heartbleed is a particularly bad bug because it doesn't just allow an attacker to reveal the data being protected by OpenSSL, but potentially all data encrypted by that computer to any user.

It affects the web, email, chat programs, VPNs (virtual private networks), and other services as well. Many people are affected, especially because of the move to keep data in the cloud – more people are using online services, which are likely at risk from this.

Is there anything that can be done about it?
The bulk of the responsibility is on the system administrators running vulnerable servers – they have to upgrade OpenSSL to a fixed version and regenerate the cryptographic keys that may have been compromised.

While the fix may be a simple software patch, a lot of review and testing has to happen, especially for large services, before it can be rolled out. Cryptographic keys will need to be regenerated, which further complicates the matter. Patch adoption rate is never 100% immediately – this will still be a problem for a while to come.

People can check whether a site is fixed at Sites that are not fixed should not be used. If a user is concerned that they have submitted passwords to a vulnerable site, they can change the passwords they used on that site.

However, there's no point for a user to change their password until the bug is fixed, so they should do it immediately afterwards.

More information is available at (For details specific to U of T visit Information Technology Services.)


Still haven't filed your taxes? At three pm April 9, 2014, the website of Canada Revenue Agency was updated with the following statement:

The Canada Revenue Agency (CRA) places first priority on ensuring the confidentiality of taxpayer information.
After learning late yesterday afternoon about the Internet security vulnerability named the Heartbleed Bug that is affecting systems around the world, the CRA acted quickly, as a preventative measure, to temporarily shut down public access to our online services to safeguard the integrity of the information we hold. Applications affected include online services like EFILE, NETFILE, My Account, My Business Account and Represent a Client.
We are currently working on a remedy for restoring online services and, at this time, anticipate that services will resume over the weekend.
The CRA recognizes that this problem may represent a significant inconvenience for individual Canadians who count on the CRA for online information and services. Recognizing this, the Minister of National Revenue has confirmed that individual taxpayers will not be penalized for this service interruption.
We continue to investigate any potential impacts to taxpayer information, and to be fully engaged in resolving this matter and restoring online services as soon as possible in a manner that ensures the private information of Canadians remains safe and secure.
We will provide further information and daily updates at 3PM EDT on our home page.


The Bulletin Brief logo

Subscribe to The Bulletin Brief