Modern Vespa

If you live in Canada and are thinking of filing your taxes online in the next few days, you can forget it.

The CRA has annouced that all of its online services have been shut down due to the Heartbleed Bug.

Be aware of this bug. It apparently affects at least 66% of all websites on the Internet! Changing your passwords may not be enough to protect you.

Here is some information on what you can do to protect yourself.

Fortunately the CRA has said that they would not penalize anyone who was late in filing their taxes because of the closure of the CRA website. This would have to happen the one year that I am getting a refund.

I prefer to just keep my head in the sand. Chances are I'm already screwed and there is nothing I can even do about it right now. Eh.

Do you trust your browser anyway?

https://revoked.grc.com/

This is what you should see if your browser is set up and working properly.

Well, if anyone wants all the secret stuff I send in email or instant messaging - they are certainly welcome to it. They can even have all the secret info on my Facebook page.

It seems i'm at risk, but have no idea what i'm at risk of.

Your iPhone's browser accepts revoked certs. A cert can be either invalid, expired or revoked. The latter is problematic, because it is valid and not expired, but has probably been compromised or had its key stolen.

I was surprised to see the Check for server certificate revocation option is now unchecked by default in Chrome, a good write up here:

https://www.imperialviolet.org/2012/02/05/crlsets.html

Rusty Rope this does not necessarily mean you are at additional risk. If you think of the certificate as a sort of letter of introduction from someone we both know, vouching that you can trust me in future dealings, the check that did not occur on your browser was the same as you forgetting to write to our mutual friend and confirm that they had not changed their mind about me.

Are you at risk if they did change their mind? Potentially, yes, but contacting them is not a satisfactory guarantee either - apart from the inconvenience - a determined crook could, without too much bother, arrange for you to get confirmation even if it was no longer true ( for instance they might fake an email from our friend on to you).

The equivalent in the web world would be for the thief to intercept the data going between you and the dodgy site (which they need to do anyway in order to get your secret stuff) and then spoofing the check to see if the certificate is still valid.

What's the alternative? In the browser world the - imperfect - solution is for the browser vendors to keep a list of revoked certificates and certificates known to be involved with security breaches and to warn you before you access the associated sites.
-------
edited for gobbledygook

You can also check on the security of a domain through SSL Labs.

https://www.ssllabs.com/ssltest/

It will check the domain for it's certificate, protocol support, key exchange, and cipher strength.

For more info...

https://community.qualys.com/blogs/securitylabs/2014/04/08/ssl-labs-test-for-the-heartbleed-attack

Change passwords?
Oy Vey!
I must have dozens!

https://lastpass.com

Also, by doing a test on a site with no permission, you are breaking the law (well, in the UK .. probably elsewhere too).

Personally, I'd request new bank cards before I bothered changing my passwords. I have no idea where my passwords are, all over the internet. Some companies have written to me assuring me they are fine. Personally, I don't care. Write to me if you aren't ok!

The xkcd comic have a good explanation of the vulnerability (originally published at http://xkcd.com/1354/)

The reports are somewhat exaggerated.

I work for IBM, I see the internal conversations about it. The risk is no where near 60%. This is being distributed internally, but it is from an external source:



Windows (all versions): Probably unaffected (uses SChannel/SSPI), but attention should be paid to the TLS implementations in individual applications. For example, Cygwin users should update their OpenSSL packages.

OSX and iOS (all versions): Probably unaffected. SANS implies it may be vulnerable by saying "OS X Mavericks has NO PATCH available", but others note that OSX 10.9 ships with OpenSSL 0.9.8y, which is not affected. Apple says: "OpenSSL libraries in OS X are deprecated, and OpenSSL has never been provided as part of iOS"

Chrome (all platforms except Android): Probably unaffected (uses NSS)
Chrome on Android: 4.1.1 may be affected (uses OpenSSL). Source. 4.1.2 should be unaffected, as it is compiled with heartbeats disabled. Source.
Mozilla products (e.g. Firefox, Thunderbird, SeaMonkey, Fennec): Probably unaffected, all use NSS