CRA reopens website after shutdown linked to 'Heartbleed' bug
Published Sunday, April 13, 2014 3:23PM EDT
Last Updated Sunday, April 13, 2014 7:53PM EDT
The Canada Revenue Agency has reopened the services section of its website after security concerns linked to the "Heartbleed" bug prompted a four-day long closure.
In a statement posted to its website Sunday afternoon, the agency said that full access to the services site had been restored.
"The Canada Revenue Agency (CRA) is pleased to report that all of its online systems have been restored to full service as of April 13, 2014," the statement said. "Individuals, businesses and representatives are now able to file returns, make payments, and access all other e-services available through the CRA’s website, including all our secure portals."
The agency closed the website last Wednesday over concerns linked to the massive "Heartbleed" bug. The services site is where Canadians can file their taxes online, as well as access such online services as EFILE, NETFILE, My Account, My Business Account and Represent a Client.
During the closure, the agency said Canadians would be given an extension to file their taxes equal to the number of days the site was down, meaning they now have until May 5 to submit claims.
Revenue Minister Kerry-Lynne Findlay said in the statement Sunday that interest and penalties will not be applied to individuals who file their returns after the April 30 deadline, up until May 5.
Findlay told reporters last week that the shutdown was a "precautionary measure," taken after the CRA was notified of "systems vulnerabilities."
In Sunday's statement CRA said its team worked "around the clock" with Shared Services Canada to apply a patch to address the vulnerability. It added that the patch had been "rigorously and successfully" tested on all of the agency's systems.
CRA Commissioner Andrew Treusch apologized for the inconvenience the closure had caused.
"We apologize for the delay and inconvenience it has caused to Canadians," he said in the statement. "That said, the delay was necessary. We could not allow these systems back online until we were fully confident they were safe and secure for Canadian taxpayers."
The CRA website was just one of many that were affected by Heartbleed. On Thursday, all federal government departments were ordered to disable public websites susceptible to the bug until all security updates had been put in place and tested.
The bug was disclosed early last week after researchers from security firm Codenomicon and Google discovered it.
The bug affects OpenSSL, one of the most widely used encryption software programs in the world. According to Codenomicon, OpenSSL is used by nearly two-thirds of all web servers.
The flaw allows the contents of servers using OpenSSL to be viewed, leaving sensitive data including millions of passwords and credit card numbers vulnerable to theft.
Kevin Haley, director of security response at Symantec, said it was “rather ironic” that OpenSSL was designed to help protect such information.
“So this hole allowed hackers to get the very thing it was trying to protect. Now that the hole’s closed, it’s safe, it’s not going to give up that information,” Haley told CTV News Channel.
According to researchers, the flaw went unnoticed for two years and attackers can exploit the flaw without leaving any trace of their presence.
A fix for the bug went out last week, and analysts suggest that users change their online IDs and passwords once a company has installed the fix.
“To be safe, you need to change your password,” said Haley. “This is good practice at any time, but now we’ve got a really good reason to change our passwords.”