Canada Halts Online Tax Returns In Wake of Heartbleed

alphadogg (971356) writes "Canada Revenue Agency has halted online filing of tax returns by the country's citizens following the disclosure of the Heartbleed security vulnerability that rocked the Internet this week. The country's Minister of National Revenue wrote in a Twitter message on Wednesday that interest and penalties will not be applied to those filing 2013 tax returns after April 30, the last date for filing the returns, for a period equal to the length of the service disruption. The agency has suspended public access to its online services as a preventive measure to protect the information it holds, while it investigates the potential impact on tax payer information, it said."

Honest?

[RichMan]

Is this the most honest response? The Canadian banks as a group say "our procedures mean we were never at risk".
http://www.cbc.ca/news/busines...
Who do you trust more to be truthfull?

Is there any incentive for the banks to be honest about this?

Re:Honest?

Only OPENSSL is affected. Run the heatbleed test against most Candian Banks they are fine.

We have multiple HTTPS systems at work and only 1 of them was affected by this bug.
No need to have your tinfoil hat on if you test with http://filippo.io/Heartbleed

Re:Honest?

They probably just aren't running TLS 1.2. Openssl 0.9.8 isn't vulnerable.

Re:Honest?

[compro01]

Testing does back up the bank's claims. RBC, CIBC, TD, Scotia, BMO, CWB, PCF, Tangerine, all of them show as unaffected on Filippo's tester.

Re:Honest?

But that test doesn't account for the certificate renewals:

----

Shouldn't you tell me also if the server changed their cert?
That's true. Unfortunately, there is no real way to check if a certificate have been re-keyed (a certificate can be re-keyed without dates being updated, and many CAs are doing this).

Moreover, the security risk of a patched server with a old cert is way lower, an attacker would need to be intercepting your traffic to take advantage of this. So I feel that the priority now is getting users to change passwords that might have been leaked to the world, not to a really skilled roommate, their malicious ISP or the NSA (these 3 being the few that can probably MiTM you).

----

So my question is: Were the banks running older versions of OpenSSL that were unaffected, or did they patch the newest version of OpenSSL and renew their certs, or did they patch and not renew their certs?

Re:Honest?

[Windwraith]

Or it could be that banks lie. A lot.

Re:Honest?

[compro01]

So my question is: Were the banks running older versions of OpenSSL that were unaffected, or did they patch the newest version of OpenSSL and renew their certs, or did they patch and not renew their certs?

Or there's 4th option : They never used OpenSSL to start with. It's widely used, but it's hardly the only TLS implementation around.

Re:Honest?

[Windwraith]

Banks not lying? Wow, you really showed me. I should move all my banking to Canada, if I could.

And no, I am not being sarcastic. I am too used to my country's banks and their MO, so it's kinda shocking to know some banks operate with a minimum of honesty.

Re:Honest?

[davester666]

Yes, Windows 95 is invulnerable to heartbleed when it is used as a server.

Re:Honest?

[Jucius+Maximus]

This is a good Use Case for why Certificate Patrol can be invaluable. It stores certificates and notifies you when they change, and whether that change would be expected or maybe suspicious.

Because I was running Certificate Patrol, my browser had already saved the previous certificates from the bank websites and was in a position to automatically notifiy me if anything changes. (I've been seeing a lot of Certificate Patrol notifications recently across the web in general, right after this HeartBleed problem came out.)

As for the Canadian Banks, I can say that I saw no Certificate Fingerprint change in TD, RBC and Tangerine. But PC Financial had changed their certificate very recently. I don't use BMO or Scotia so I can't comment on those ones.

Re:Honest?

TD was vulnerable as late as yesterday morning, and they haven't changed their certificates yet. There's a reason their generic notice in response to this is really vague.

Tax filing

[rossdee]

Can Canadians still file their returns by mail, or do they have to use the Internet?

Re:Tax filing

[Frederic54]

We can do it the old way by mailing paper, yes. I filled my first one in 1997 via paper, and since 1998 I do it online :)

Re:Tax filing

[rmdingler]

The one thing government has streamlined is the tax collection process.

Re:Tax filing

[mark-t]

It's inconvenient to do it the old way these days... they don't even mail out the forms anymore, as far as I know, you have to go get one yourself if you want to do it that way.

But it's still definitely possible.

Re:Tax filing

Also can be phoned in.

Re:Tax filing

[Stewie241]

I'm pretty sure they are all downloadable and printable. And you might be able to get one from the post office? I can't remember them ever mailing them out preemptively. Now they have stopped mailing out the remittance stickers or forms or whatever they are, which makes it a lot harder to pay your taxes at the bank.

Re:Tax filing

[Michalson]

Canadians can still file by mail just fine. The difference is in timing - if you file by mail it will take the longest to get a refund if you had one coming. If you file online you'll get it faster, and if you file it online and have signed up for direct deposit they have/had an advertised time of 8 days between filing and getting your refund deposited. Basically the less manual paper stuff that has to be processed and shuffled around, the faster the Canadian Revenue Agency will process your return.

On the other hand businesses are in a different boat - there are still some small businesses that can file by mail but most organized entities must file a least some of their tax forms like the HST (sales tax collected) electronically. If you can hire an accountant to submit an inch thick tax return just to get out of a few more dollars in taxes then you can afford to fill it out and submit it electronically instead of other taxpapers footing the bill for all the manual entry.

Re:Tax filing

Once you Efile they stop sending forms to you.

I think now they've stopped sending them entirely.

Realistically there is free tax software, and Canadian taxes are pretty straightforward.

Re:Tax filing

[Tridus]

Tax software can also just print off completed forms, which you can then mail. In fact there are certain cases where you can't netfile.

They don't mail out forms because it's a huge waste of money and paper to send forms to people that are using software.

Re:Tax filing

[CastrTroy]

Most Canadians I know end up getting money back at the end of the year. It's specifically designed this way because it's much easier to take the money out of people's paycheques then to get them to send you a cheque at the end of the year.

Re:Tax filing

[Walking+The+Walk]

Also can be phoned in.

No, Telefile was discontinued last year.

Re:Tax filing

[m.ducharme]

Once you Efile they stop sending forms to you.

I think now they've stopped sending them entirely.

Realistically there is free tax software, and Canadian taxes are pretty straightforward.

Ahahahahahah! I have an annotated 2010 Canadian Tax Act book weighing down my bookshelf that would beg to differ.

Re:Tax filing

[m.ducharme]

Actually, governments federal and provincial have streamlined a lot of the services they provide. In fact, in at least one case I can think of, major inefficiencies are starting to crop up because they've trimmed too much fat. Employment Insurance (including sick leave and parental leave), for example, takes a month or more to get not because of the process, but because they don't have enough operators answering the phones.

Re:Tax filing

[Obfuscant]

It's specifically designed this way because it's much easier to take the money out of people's paycheques then to get them to send you a cheque at the end of the year.

The US withholding system was designed with this in mind. Also, perhaps just as important, it hides the true amount you are paying in taxes. You don't have to write a check for $12,000 so you're less likely to remember a month after you file that you actually did pay that much, but you'll remember you got $100 BACK! In my case I planned ahead to avoid a federal penalty for underpayment and wound up with a large "refund", which because I couldn't do the same for the state means I send them almost every penny of the refund (with a $3 interest penalty). WOOT! WooT! I'm not going to Disneyland!

In our community, perhaps the worst decision ever for government was to make the due dates for property taxes just a week after the general election. That means that any tax levies that are on the general election ballot show up in the mail just about the same time as the property tax bill. I like the fact that the local government is saying "we want more of your money, and by the way, here's how much we're already sucking out of your pocket...". I expect someone will figure it out and move the due dates for property taxes back a month sometime soon.

Re:Tax filing

[davester666]

you make it sound like that it wasn't planned that way. EI is a major profit center for the federal gov't [it is VERY cash positive].

Re:Tax filing

[Mashiki]

Ahahahahahah! I have an annotated 2010 Canadian Tax Act book weighing down my bookshelf that would beg to differ.

I'm guessing you've never had to file taxes in the US before have you? Canadian taxes are pretty straightforward compared to the US, or even most European countries.

Re:Tax filing

[m.ducharme]

I'll concede the point on personal taxes, for the most simple solutions, but once you start adding in business income, corporate taxes, and the like, the complexity level goes way up. And if you happen to run a business in an HST jurisdiction? Forget about it. Many tax lawyers haven't yet figured that shit out.

Idiots.

It takes less than a minute to patch this bug on an individual system, that is if they are even vulnerable.

If it is multiple machines, again, less than a minute if you are managing them properly.

Absolutely ridiculous.

Re:Idiots.

[Russ1642]

One minute to patch the bug. Two weeks to ensure that every computer system, every server, everything has been patched.

Re:Idiots.

You have to patch every server at every level. If you're going to assume a compromise has happened you'd have to look at any certs on the system, passwords, keys, other sensitive data, etc. Leave the real work to the Sys Admins and leave your armchair ad-hominems at the door.

Re:Idiots.

[compro01]

Less than a minute to patch.

Considerably longer to ensure that anything that might have been taken (like their certificates' private keys) is nullified.

Re:Idiots.

[Anubis+IV]

Closing the door is easy. Taking inventory to figure out what was stolen takes a lot longer and could have major repercussions. If the thief made a copy of your keys, client data, or other sensitive information, you need to go through a lot more hassle. Suggesting this is a one-minute fix is horribly misguided, since applying the patch is merely the first step in a series of steps that are absolutely necessary to re-secure your system. Failing to do so would be like closing the door without changing the locks after having your keys copied.

For instance, after applying the patch, you then need to replace your private key since the old one could have been compromised. And doing that means that you need to update your certs as well, that way people have your public key. If you're being responsible, you'll also want to revoke user sessions and prompt your users to change their passwords so that intruders can't pose as them and gain access to private user information. The list of data that could have been compromised goes on and on, and doing a thorough investigation into exactly what data was accessible from a compromised system could take awhile to accomplish and could mean having to go through a significantly more lengthy process to set everything right again.

Open SORES proves its worth

As insecure shit despite years of /. b.s.!

Re:Open SORES proves its worth

[deviated_prevert]

Hey doofus my crypto libraries on a debian laptop and our server is patched already.. How you doing with Windows? ASSHOLE

Very sensible

[swillden]

I thought about this last night, as I was working on my taxes. A lot of my tax information has moved on-line and so to complete my return I needed to log into bank, brokerage, mortgage lender and other web sites... sites I'd really prefer to avoid logging into right now until I'm sure they've been made safe. I did test each of them with a Heartbleed testing tool before logging in, but most people won't know to do that. I really wish the US had opted to move the filing date back a week or two.

Re:Very sensible

After some tests I noticed that at least a few large banks, brokers, and other companies are blocking the heartbleed test sites so if you use one of them you can't be sure.

Re:Very sensible

[HungWeiLo]

Just because it's safe now doesn't mean they were safe a week ago. Presumably your data was there a week ago as well.

Re:Very sensible

[swillden]

My data was, yes, but if I hadn't logged in it's vanishingly unlikely that my data was in the process space to be harvested. Heartbleed doesn't provide the attacker with a route to start reading databases used by web apps.

Re:Very sensible

> Heartbleed doesn't provide the attacker with a route to start reading databases used by web apps.

Uh, yes it does. If the DB is on the affected server then it'll be loading pages into process space which will hold data from nearby the queries of interest, and your data could well be in there.

Whisper

[Russ1642]

Don't worry. You can't hear her anyway because she's going to whisper through the whole thing.

Re:Whisper

[Russ1642]

Obviously wrong thread.

All online filing or just web filing?

[PopeRatzo]

Would Heartbleed affect those who use a preparation software like TurboTax and then e-file directly through the program? Or does it only affect the people who are using the website to fill out the form?

When you E-File through TurboTax, no password is necessary, and no account is necessary. You do have to enter your bank account number if you want direct deposit, but that's it.

I'm not well-versed in sockets and layers and all that. My experience is in other areas. But I'd like to know, because I'm just about to file. I'd like to e-file with direct deposit because that means I'll get my refund in just a little over a week and can build my new PC in time to play Watch Dogs.

Re:All online filing or just web filing?

[KenAndCorey]

In both the desktop and web version of Turbo Tax, you still download a ".tax" file that you then have to log into the government site and upload (known as Netfile). You do not file directly using the TurboTax software. So this will block both desktop and web-based TurboTax users. The only information required to access NETFILE is your Date of Birth and your Social Insurance Number. But you probably don't want people get a hold of that information either. Or your bank account if it is included in the file you are uploading.

Re:All online filing or just web filing?

[KenAndCorey]

My mistake. It turns out that the online version now allows you to submit directly, without the need for a intermediate file. I believe both were offline, but of course both are online now.

As far as I'm concerned

CRA is looking pretty good on this one.

They acknowledged the problem and shut the system down to correct it. No hiding, no misdirection, no CYA. The problem wasn't created by them but they live with it's consequences. They extended the deadline by the time taken to correct the problem. And they took action quickly and the correction timeline looks very reasonable to me.

I say good on the CRA, and that's not something you often hear about the tax man.