By Judy McKinnon
Canadian government departments have been directed to disable
all public websites that may be vulnerable to the Heartbleed bug
until a security patch is in place to fix the flaw.
Public government websites running an unpatched version of the
affected encryption software have been ordered by the government's
chief information officer to shut down those sites, the Treasury
Board of Canada said in a statement late Thursday.
"This action is being taken as a precautionary measure until the
appropriate security patches are in place and tested," the
statement said.
No specific government websites were identified in the
statement.
"We understand that this will be disruptive, but, under the
circumstances, this is the best course of action to protect the
privacy of Canadians," the Treasury Board statement said.
Earlier this week, Canada's tax authority halted online services
to prevent the possible exposure of masses of critical personal
information ahead of the country's tax-filing deadline. Thursday,
it said it was working to apply a software patch to fix the flaw
and was testing its systems.
Heartbleed exploits a problem in certain versions of OpenSSL, a
free set of encryption tools used by much of the Internet. The flaw
could expose reams of data that are meant to be private,
cybersecurity experts say.
Thursday, Cisco Systems Inc. and Juniper Networks Inc., two of
the biggest makers of network equipment, said some of their
products contain the Heartbleed bug. A number of websites,
including those run by Yahoo Inc., Amazon.com Inc. and Netflix
Inc., moved quickly to fix the flaw after it was disclosed
Monday.
Write to Judy McKinnon at judy.mckinnon@wsj.com
Subscribe to WSJ: http://online.wsj.com?mod=djnwires