The Internal Revenue Service said Wednesday it is taking new steps to fix the HeartBleed bug that was recently identified on sites across the Internet.
The security vulnerability affects the OpenSSL technology that provides security on many popular sites (see The HeartBleed Bug: What It Is and 5 Steps to Take New).
The IRS said in an email that it is issuing new public SSL, or Secure Sockets Layer, certificates for establishing the SSL connection and revoking the current certificates as an additional precaution for the HeartBleed bug.
A new set of certificates are being issued on specific dates in late April and early May for transmitters accessing the Production and Assurance Testing System, or ATS, environments. Internet Filing Application, or IFA, transmitters should not be affected by this change.
The group running the IRS’s Modernized eFile system, or MeF, will post new “la alt” certificates for the ATS on the MeF User Guides & Publications page on April 23. On April 27, the MeF system will no longer support the existing ATS certificates.
Then on April 28, the MeF system will post new Production “la main” certifications on the MeF User Guides & Publications page. On May 4, the MeF will no longer support the existing Production certificates.
The new SSL certificates are not being implemented until April 27 for "la alt" and May 4 for "la main." However, the IRS is encouraging transmitters to add them as soon as they become available, but not to remove the current certificates until they are no longer supported by the MeF.
The IRS noted that the software configurations of users’ efile systems may be set up to automatically download the new certificates when they connect to the MeF for the first time. The IRS is recommending software developers, transmitters and states to test their software in the ATS environment to confirm if the certificates need to be manually installed.
The certificates are available on the MeF User Guides & Publications pageso they can be manually downloaded. Email the MeF Mailbox at firstname.lastname@example.org with any questions.