Saying it is acting out of caution, the federal government is disabling all public Web sites that are running unpatched versions of the damaged OpenSSL software.
The decision was made late Thursday, two days after Revenue Canada shut a site that accepts online tax returns because versions of the cryptographic libraries can allow attackers to access data stored in memory.
The directive came from CIO Corinne Charette and went to all federal departments. “This action is being taken as a precautionary measure until the appropriate security patches are in place and tested,” said a statement from Treasury Board.
It didn’t list which sites are affected. However, sites that merely offer information aren’t affected. Buyandsell.gc.ca, the Public Works Web site that lists tenders, is online.
“We understand that this will be disruptive, but, under the circumstances, this is the best course of action to protect the privacy of Canadians,” said the statement.
There is nothing in the statement to indicate the government has found the hole in the software code has been exploited, but experts say because of the nature of the vulnerability it’s unlikely there will be evidence.
According to digital certificate issuer Comodo this Heartbleed issue is only a concern on servers with OpenSSL 1.0.1 through 1.0.1f and OpenSSL 1.0.2-beta. All other SSL implementations and digital certificate users are unaffected, including all users of Microsoft’s IIS web server.
Solutions include upagrading to the latest version of OpenSSL (1.0.1g). If you can’t get it, either roll back to OpenSSL version 1.0.0 or earlier or recompile OpenSSL with the OPENSSL_NO_HEARTBEATS flag.
Organizations will then have to install a new digital certificate and revoke previous certificates.
Users then have to reset their passwords.
Meanwhile an Australian newspaper has interviewed a German software developer who is taking the blame for the fault in the code. “I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” Robin Seggelmann told the publication. “In one of the new features, unfortunately, I missed validating a variable containing a length. ”