Trending

Are you looking for a stock?

Try one of these

Related Videos

CRA shuts online service to guard against Heartbleed bug

Stocks9

The Heartbleed security bug has forced Canada's tax agency to block public access to its online services just three weeks ahead of the April 30 deadline for filing personal income tax. The agency says it expects the online services to be restored by the weekend.

The Canada Revenue Agency's move came after private security researchers announced on Monday the discovery of Heartbleed, a massive Internet encryption flaw that exposed millions of passwords and had been undetected for more than two years.

The impact of the bug could soon lead to a much wider shutdown of federal government services. A government official told The Globe that other federal departments are "on an urgent basis" deciding whether they should follow the CRA in pulling its online options.

The official described the bug as one of the most serious security flaws uncovered in recent years and said Heartbleed has the capacity to reveal the sensitive contents of a server's memory.

The federal government is likely going through its inventory of servers to decide which websites need to be dealt with first, said cybersecurity expert Raymond Vankrimpen "They've obviously identified this CRA website as a critical one to take offline. But I have no doubt that there are other government websites that use SSL technology," said Mr. Vankrimpen, a partner at the financial advisory firm Richter.

"They're probably triaging everything."

WHAT IS HEARTBLEED?

( Read The Globe's explainer of what the Heartbleed security bug means for you.)

The Heartbleed bug affects a common cryptographic program called OpenSSL, and specifically how OpenSSL is used in combination with a communication protocol called the RFC6520 heartbeat.

Such "heartbeats" help a remote user remain in touch after connecting with a website server, Mr. Vankrimpen said.

Because of a coding flaw, a small chunk of the server's memory content, about 64 kilobytes of memory, can leak out with each heartbeat.

While 64 kilobytes doesn't represent a large amount of memory content, it is large enough to hold a password or an encryption key, allowing an unscrupulous user to return to exploit the server further.

"Once you have the encryption key, then you have the keys to the kingdom," Mr. Vankrimpen said.

Servers at the CRA run on a common hosting software called Apache, which uses OpenSSL, though it is not known if they rely on the RFC6520 heartbeat.

ANXIETY IN ONTARIO

The Ontario Ministry of Transportation, which keeps records of personal information through drivers' licences and vehicle registrations, also appears to run its website with Apache.

Ontario Transportation Ministry Glen Murray said he will meet with top ministry officials Wednesday afternoon to determine if the database of licence information is vulnerable to Heartbleed.

The drivers' licence database is already in the middle of an upgrade because some of the software is out of date, Mr. Murray said.

HOW IS THE CRA AFFECTED?

The CRA temporarily shut down public access to its online services late Tuesday evening and issued a public notice on its website Wednesday morning. The notice said that affected online services include EFILE, NETFILE and My Account, which taxpayers would normally access their account to track their refund or check their RRSP limit.

The shutdown also affects business accounts.

While promising to resume the online services as soon as possible, the CRA said that it would give consideration to taxpayers who are unable to meet filing deadlines.

The shutdown will not affect appointments at the more than 1,000 Canadian offices of H&R Block, a leading tax preparer, according to the company's senior tax analyst, Cleo Hamel.

Hamel said tax returns will be prepared and then filed later when the electronic filing option is back online. If the shutdown turns out to be prolonged, other options would be used.

"If we have to print them all off and take them into the CRA ourselves, we'll do that," she said. "I would anticipate within a couple of days or less this will get rectified."

Hamel noted that the CRA had a temporary shutdown during tax time in 2008 and it did not cause major problem.

CTV.ca CTV Two CTV News CTV News Channel BNN - Business News Network CP24