The CRA is the most competent organization in all of Canada, public or private. They probably log every packet.
Worst case scenario they are looking into streams of suspicious behavior, like Russian IPs attempting to validate the SINs somewhere else, like at a bank.
Agreed. I had the pleasure of calling CRA last month to sort out a problem. I spent an afternoon trying to piece together all these letters, payments, refunds, etc, and what exactly went wrong.
Anyway, I call, and it was the closest thing to magic I've ever seen. I give reception my SIN, and ask for the woman that signed the letter I received. I'm on hold for only 10 or 20 seconds, the woman answers, and greets me with my name. I didn't say more than a couple of sentences explaining the issue, and she says she'll check her computer, taps a button and poof she knows everything. Literally a few more seconds, and everything is sorted, and a cheque is being mailed.
I was almost speechless, I was expecting a 30 minute call between departments, explaining numbers, CRA scratching their heads since this was taking place across multiple provinces, and then me having to physically mail in a variety of personal information. Instead, it was a 1 or 2 minute call with an incredibly friendly woman, and she was so organized, it's like she spent the day preparing for me to call in advance. And, to reiterate, this was the woman that signed the original letter I received, not someone from support or customer service.
Now, the CRA website is a nightmare, but talking to them on the phone was the most impressive service I've ever encountered.
Why do you say that the CRA is the most competent organization in all of Canada? Not doubting that it could be or anything I was more wondering on what basis you made that claim.
I have a pretty complex tax life, I know many accountants and tax lawyers, my uncle was an Auditor for the Auditor General's office, my mom used to work for the CRA, I've spoken to them multiple times.
Every single interaction with them and every single person I know that has to deal with them has been nothing but mindblowingly professional. Even on the phone, they are exceptionally good at getting to the point IMMEDIATELY but without the normal "this isn't the right department" BS that every other Canadian government agency has.
It's hard to even think of a number two. The Supreme Court maybe? Elections Canada? Ellis Don?
A few years ago the CRA messed up a tax return of mine and credited my payments to the next year. I got a letter from them saying your tax bill of $11k has not been paid, please pay it, and here are some interest payments due, also you have $11k in credit for next year.
So I called them up, waited on hold for 5 minutes. I spoke with a CRA rep who said "Yup, we screwed up. Fixed". And it was fixed. Total time to fix an $11K screw up? 15 minutes. Try that with any other organization.
General question: the leaked data in the heartbeat packets is encrypted, correct? If the service doesn't use perfect forward secrecy they would definitely be able to decrypt those packets to see what was leaked. What if they did use PFS?
Depending on how the exploit is written it can be encrypted or unencrypted. If the heartbeat is sent before the TLS handshake is finished, then the memory contents will be sent in the clear. If it is sent after the handshake is finished (meaning all crypto stuff has been agreed on by both sides) then the data will be encrypted. This also makes Heartbleed very hard to detect on the wire in general.
That is a really good question! I would only be guessing at whether or not they have PFS or not. On the one hand, it leaves the past vulnerable in case a breach happened, but on the other it makes diagnosing what much harder in cases like this.
Actually now I'm not sure if heartbeats are encrypted:
"It is irrelevant whether your system can even support some of the cipher suites in the list, because the Heartbeat request that triggers the vulnerability is sent before any encryption takes place."
Heartbleed doesn't just leak keys. It leaks random bits of memory, which can contain anything - private keys, encrypted data, unencrypted data, whatever happens to pop out. Problem is you can repeat the attack very quickly until the data you want - say, unencrypted SINs - comes out.
I know, and I'm not sure how this is relevant to my question.
I was specifically wondering if a) the heartbeat messages which leak data (keys or whatever) are encrypted or not, and b) if they are, and PFS was used, is it even possible for someone to audit a full packet capture for heartbeat attacks.
Worst case scenario they are looking into streams of suspicious behavior, like Russian IPs attempting to validate the SINs somewhere else, like at a bank.