Ottawa orders sites vulnerable to Heartbleed shut

Saying it is acting out of caution, the federal government is disabling all public Web sites that are running unpatched versions of the damaged OpenSSL software.

The decision was made late Thursday, two days after Revenue Canada shut a site that accepts online tax returns because versions of the cryptographic libraries can allow attackers to access data stored in memory.

The directive came from CIO Corinne Charette and went to all federal departments. “This action is being taken as a precautionary measure until the appropriate security patches are in place and tested,” said a statement from Treasury Board.

It didn’t list which sites are affected. However, sites that merely offer information aren’t affected. Buyandsell.gc.ca, the Public Works Web site that lists tenders, is online.

“We understand that this will be disruptive, but, under the circumstances, this is the best course of action to protect the privacy of Canadians,” said the statement.

There is nothing in the statement to indicate the government has found the hole in the software code has been exploited, but experts say because of the nature of the vulnerability it’s unlikely there will be evidence.

According to digital certificate issuer Comodo this Heartbleed issue is only a concern on servers with OpenSSL 1.0.1 through 1.0.1f and OpenSSL 1.0.2-beta.  All other SSL implementations and digital certificate users are unaffected,  including all users of Microsoft’s IIS web server.

To test a Web site go here.

Solutions include upagrading to the latest version of OpenSSL (1.0.1g). If you can’t get it, either roll back to OpenSSL version 1.0.0 or earlier or recompile OpenSSL with the OPENSSL_NO_HEARTBEATS flag.

Organizations will then have to install a new digital certificate and revoke previous certificates.

Users then have to reset their passwords.

Meanwhile an Australian newspaper has interviewed a German software developer who is taking the blame for the fault in the code. “I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” Robin Seggelmann told the publication. “In one of the new features, unfortunately, I missed validating a variable containing a length. ”

 

 

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now