Canada Halts Online Tax Returns In Wake of Heartbleed

alphadogg (971356) writes "Canada Revenue Agency has halted online filing of tax returns by the country's citizens following the disclosure of the Heartbleed security vulnerability that rocked the Internet this week. The country's Minister of National Revenue wrote in a Twitter message on Wednesday that interest and penalties will not be applied to those filing 2013 tax returns after April 30, the last date for filing the returns, for a period equal to the length of the service disruption. The agency has suspended public access to its online services as a preventive measure to protect the information it holds, while it investigates the potential impact on tax payer information, it said."

Honest?

[RichMan]

Is this the most honest response? The Canadian banks as a group say "our procedures mean we were never at risk".
http://www.cbc.ca/news/busines... [www.cbc.ca]
Who do you trust more to be truthfull?

Is there any incentive for the banks to be honest about this?

Re:

[Anonymous Coward]

Only OPENSSL is affected. Run the heatbleed test against most Candian Banks they are fine.

We have multiple HTTPS systems at work and only 1 of them was affected by this bug.
No need to have your tinfoil hat on if you test with http://filippo.io/Heartbleed

Re:

[Anonymous Coward]

They probably just aren't running TLS 1.2. Openssl 0.9.8 isn't vulnerable.

Re:Honest?

[compro01]

Testing does back up the bank's claims. RBC, CIBC, TD, Scotia, BMO, CWB, PCF, Tangerine, all of them show as unaffected on Filippo's tester [filippo.io].

Re:

[compro01]

So my question is: Were the banks running older versions of OpenSSL that were unaffected, or did they patch the newest version of OpenSSL and renew their certs, or did they patch and not renew their certs?

Or there's 4th option : They never used OpenSSL to start with. It's widely used, but it's hardly the only TLS implementation around.

Re:

[davester666]

Yes, Windows 95 is invulnerable to heartbleed when it is used as a server.

Re:

[Jucius Maximus]

This is a good Use Case for why Certificate Patrol [mozilla.org] can be invaluable. It stores certificates and notifies you when they change, and whether that change would be expected or maybe suspicious.

Because I was running Certificate Patrol, my browser had already saved the previous certificates from the bank websites and was in a position to automatically notifiy me if anything changes. (I've been seeing a lot of Certificate Patrol notifications recently across the web in general, right after this HeartBleed probl

Re:

[Windwraith]

Banks not lying? Wow, you really showed me. I should move all my banking to Canada, if I could.

And no, I am not being sarcastic. I am too used to my country's banks and their MO, so it's kinda shocking to know some banks operate with a minimum of honesty.

Re:

[Windwraith]

Or it could be that banks lie. A lot.

Tax filing

[rossdee]

Can Canadians still file their returns by mail, or do they have to use the Internet?

Re:

[Frederic54]

We can do it the old way by mailing paper, yes. I filled my first one in 1997 via paper, and since 1998 I do it online :)

Re:

[rmdingler]

The one thing government has streamlined is the tax collection process.

Re:

[CastrTroy]

Most Canadians I know end up getting money back at the end of the year. It's specifically designed this way because it's much easier to take the money out of people's paycheques then to get them to send you a cheque at the end of the year.

Re:

[Obfuscant]

It's specifically designed this way because it's much easier to take the money out of people's paycheques then to get them to send you a cheque at the end of the year.

The US withholding system was designed with this in mind. Also, perhaps just as important, it hides the true amount you are paying in taxes. You don't have to write a check for $12,000 so you're less likely to remember a month after you file that you actually did pay that much, but you'll remember you got $100 BACK! In my case I planned ahead to avoid a federal penalty for underpayment and wound up with a large "refund", which because I couldn't do the same for the state means I send them almost every penn

Re:

[m.ducharme]

Actually, governments federal and provincial have streamlined a lot of the services they provide. In fact, in at least one case I can think of, major inefficiencies are starting to crop up because they've trimmed too much fat. Employment Insurance (including sick leave and parental leave), for example, takes a month or more to get not because of the process, but because they don't have enough operators answering the phones.

Re:

[davester666]

you make it sound like that it wasn't planned that way. EI is a major profit center for the federal gov't [it is VERY cash positive].

Re:

[Walking The Walk]

Also can be phoned in.

No, Telefile was discontinued last year [cra-arc.gc.ca].

Re:

[mark-t]

It's inconvenient to do it the old way these days... they don't even mail out the forms anymore, as far as I know, you have to go get one yourself if you want to do it that way.

But it's still definitely possible.

Re:

[Stewie241]

I'm pretty sure they are all downloadable and printable. And you might be able to get one from the post office? I can't remember them ever mailing them out preemptively. Now they have stopped mailing out the remittance stickers or forms or whatever they are, which makes it a lot harder to pay your taxes at the bank.

Re:

[m.ducharme]

Once you Efile they stop sending forms to you.

I think now they've stopped sending them entirely.

Realistically there is free tax software, and Canadian taxes are pretty straightforward.

Ahahahahahah! I have an annotated 2010 Canadian Tax Act book weighing down my bookshelf that would beg to differ.

Re:

[Mashiki]

Ahahahahahah! I have an annotated 2010 Canadian Tax Act book weighing down my bookshelf that would beg to differ.

I'm guessing you've never had to file taxes in the US before have you? Canadian taxes are pretty straightforward compared to the US, or even most European countries.

Re:

[m.ducharme]

I'll concede the point on personal taxes, for the most simple solutions, but once you start adding in business income, corporate taxes, and the like, the complexity level goes way up. And if you happen to run a business in an HST jurisdiction? Forget about it. Many tax lawyers haven't yet figured that shit out.

Re:

[Tridus]

Tax software can also just print off completed forms, which you can then mail. In fact there are certain cases where you can't netfile.

They don't mail out forms because it's a huge waste of money and paper to send forms to people that are using software.

Re:

[Michalson]

Canadians can still file by mail just fine. The difference is in timing - if you file by mail it will take the longest to get a refund if you had one coming. If you file online you'll get it faster, and if you file it online and have signed up for direct deposit they have/had an advertised time of 8 days between filing and getting your refund deposited. Basically the less manual paper stuff that has to be processed and shuffled around, the faster the Canadian Revenue Agency will process your return.

On the

Re:Idiots.

[Russ1642]

One minute to patch the bug. Two weeks to ensure that every computer system, every server, everything has been patched.

Re:

[compro01]

Less than a minute to patch.

Considerably longer to ensure that anything that might have been taken (like their certificates' private keys) is nullified.

Re:Idiots.

[Anubis IV]

Closing the door is easy. Taking inventory to figure out what was stolen takes a lot longer and could have major repercussions. If the thief made a copy of your keys, client data, or other sensitive information, you need to go through a lot more hassle. Suggesting this is a one-minute fix is horribly misguided, since applying the patch is merely the first step in a series of steps that are absolutely necessary to re-secure your system. Failing to do so would be like closing the door without changing the locks after having your keys copied.

For instance, after applying the patch, you then need to replace your private key since the old one could have been compromised. And doing that means that you need to update your certs as well, that way people have your public key. If you're being responsible, you'll also want to revoke user sessions and prompt your users to change their passwords so that intruders can't pose as them and gain access to private user information. The list of data that could have been compromised goes on and on, and doing a thorough investigation into exactly what data was accessible from a compromised system could take awhile to accomplish and could mean having to go through a significantly more lengthy process to set everything right again.

Re:

[deviated_prevert]

Hey doofus my crypto libraries on a debian laptop and our server is patched already.. How you doing with Windows? ASSHOLE

Very sensible

[swillden]

I thought about this last night, as I was working on my taxes. A lot of my tax information has moved on-line and so to complete my return I needed to log into bank, brokerage, mortgage lender and other web sites... sites I'd really prefer to avoid logging into right now until I'm sure they've been made safe. I did test each of them with a Heartbleed testing tool before logging in, but most people won't know to do that. I really wish the US had opted to move the filing date back a week or two.

Re:

[Anonymous Coward]

After some tests I noticed that at least a few large banks, brokers, and other companies are blocking the heartbleed test sites so if you use one of them you can't be sure.

Re:

[HungWeiLo]

Just because it's safe now doesn't mean they were safe a week ago. Presumably your data was there a week ago as well.

Re:

[swillden]

My data was, yes, but if I hadn't logged in it's vanishingly unlikely that my data was in the process space to be harvested. Heartbleed doesn't provide the attacker with a route to start reading databases used by web apps.

Whisper

[Russ1642]

Don't worry. You can't hear her anyway because she's going to whisper through the whole thing.

Re:

[Russ1642]

Obviously wrong thread.

All online filing or just web filing?

[PopeRatzo]

Would Heartbleed affect those who use a preparation software like TurboTax and then e-file directly through the program? Or does it only affect the people who are using the website to fill out the form?

When you E-File through TurboTax, no password is necessary, and no account is necessary. You do have to enter your bank account number if you want direct deposit, but that's it.

I'm not well-versed in sockets and layers and all that. My experience is in other areas. But I'd like to know, because I'm just a

Re:

[KenAndCorey]

In both the desktop and web version of Turbo Tax, you still download a ".tax" file that you then have to log into the government site and upload (known as Netfile). You do not file directly using the TurboTax software. So this will block both desktop and web-based TurboTax users. The only information required to access NETFILE is your Date of Birth and your Social Insurance Number. But you probably don't want people get a hold of that information either. Or your bank account if it is included in the file y

Re:

[KenAndCorey]

My mistake. It turns out that the online version now allows you to submit directly, without the need for a intermediate file. I believe both were offline, but of course both are online now.

As far as I'm concerned

[Anonymous Coward]

CRA is looking pretty good on this one.

They acknowledged the problem and shut the system down to correct it. No hiding, no misdirection, no CYA. The problem wasn't created by them but they live with it's consequences. They extended the deadline by the time taken to correct the problem. And they took action quickly and the correction timeline looks very reasonable to me.

I say good on the CRA, and that's not something you often hear about the tax man.