Heartbleed fears shut more Canadian government sites, coder speaks out

All federal government departments have been ordered to disable public websites that are susceptible to the Heartbleed bug until all security patches have been put in place and tested, the Treasury Board announced.

The directive, issued late Thursday, follows a decision by the Canada Revenue Agency to disable its public site, including the online tax filing service, until security can be assured.

The Heartbleed bug is a flaw in OpenSSL software commonly used online to ensure security and privacy. The bug can expose private information to hackers.

Canada’s Chief Information Officer issued the directive to all departments with sites running unpatched OpenSSL software.

“This action is being taken as a precautionary measure until the appropriate security patches are in place and tested,” said a Treasury Board statement.

“As a result, Canadians will be unable to access certain Government of Canada websites while measures are being applied.”

It is unclear how many government sites are affected by the directive.

The CRA shut down its online tax filing service and other portals Wednesday and said it hoped to be back to business as usual by the weekend.

In a statement Friday afternoon, the CRA said it continues to “anticipate a resumption of our e-services over the weekend.”

The agency said anyone prevented from filing a tax return on time due to the shutdown would not be hit with any penalties.

Meanwhile, the programmer who introduced the bug into OpenSSL denied that he did so deliberately.

German developer Robin Seggelmann told the Sydney Morning Herald that he had submitted a number of bug fixes and new features to the open source encryption protocol more than two years ago.

"In one of the new features, unfortunately, I missed validating a variable containing a length,” Seggelmann said.

Another programmer who reviewed his work also missed the error, which made its way into the system.

Seggelmann said he understood why some would suspect that he had intentionally unleashed the bug.

"It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project,” he said.

Internet security analyst Geoffrey Vaughan said evidence has yet to surface that the bug has compromised any private data.

“But this hack doesn’t necessarily leave any trace, either,” Vaughan told CTV News Channel. “So there’s no evidence necessarily, but we need to proceed as if it has been compromised and take the steps to mitigate this risk going down the road.”

Vaughan said the government website shutdown “is a reasonable, measured response given the severity of the risk” from the bug, which could affect any system that includes encrypted data. This includes everything from emails to online banking.

Internet users should change their passwords now “to close the window on a potential hacker,” then again after the security patches are in place, which could be in about a month’s time.