We address Internet security concerns so that you can safely do online transactions with us. There are many ways to increase security while using the Internet. Some of the tools available are described below.
Public Key Infrastructure (PKI)
Anti-virus software scans your computer and email messages for viruses. You have to regularly update your anti-virus software to be able to detect new viruses. Your anti-virus software helps protect the data on your computer software and your operating system.
Although email is common and widely used today, it is not secure. It can be intercepted and the name of the originator can be changed. You should also be aware of Important security information regarding email fraud. The Canada Revenue Agency (CRA) will never ask you to provide us with personal information by email. If you receive such a request, do not respond and contact our e-service Helpdesk immediately.
A firewall acts as a barrier between internal and external computers in a network, controlling the flow of information between the two. When a computer outside the firewall tries to communicate with a computer inside, it must first communicate with the firewall, which drops, allows or denies requests before it passes them to the destination computer. This process protects the destination computer from unauthorized access.
Encryption has been used to transmit messages in various formats for hundreds of years; it is not a new concept created just for the Internet. As technology has evolved, so have the methods of encryption—from manually coding text to using complex computer programs.
Encryption uses a mathematical formula and an encryption key to scramble information so that an unauthorized person cannot understand the information. The scrambled information is decoded—or converted back—into the original format using the same mathematical formula and a decryption key so an authorized person can understand it. While the information is encrypted, it cannot be viewed.
With 128-bit Secure Sockets Layer Version 3.0 (SSLV3) encryption, the privacy of information passing between your Web browser and our Web servers is ensured. Encrypting the information allows it to be transmitted and authenticated safely. Data cannot be compromised when SSL is in use. Through SSL the identity of the server computer can be verified. Although it is also possible to identify the user as well, CRA does not use this method of identification.
When you send data using SSL encryption, the data is broken down into small, separate packages of information called blocks. SSL then encrypts each block. These encrypted blocks are sent over the Internet as individual network packets, and are individually addressed. Once all the packets have reached the safety of our secure Web server, they are reassembled and decrypted.
Check your browser's encryption
To make sure that you can complete your transactions securely and confidentially, you must use a Web browser that supports 128-bit Secure Sockets Layer Version 3.0 (SSLV3) encryption. You can use our browser test to check your current browser.
Once a secure session has been established, a padlock or key icon will appear in the bottom right corner of your browser window. This shows that data is being encrypted. However, to determine what level of encryption your browser provides, you have to check your browser's properties.
Internet Explorer
Open Internet Explorer and click the "Help" menu item. Then select "About Internet Explorer". This window will tell you the version of browser you are using and the level of security you have. If the "cipher strength" is not 128-bit, you should upgrade your browser.
Netscape
If there is a padlock icon , it means you are using 128-bit encryption. If there is no padlock icon, it means that you have 40-bit encryption software and you should upgrade to 128-bit encryption.
Each electronic service provided by the CRA may require different versions of browsers and operating systems. Visit the following services to see their specific requirements:
If your browser does not meet our security requirement of 128-bit SSL Version 3.0 encryption, you will need to upgrade the one you have or download a new complete browser package.
Notes
The CRA is not responsible for any difficulties or problems in downloading and installing software. The software suppliers provide technical support.
If your computer is part of a managed network, contact your organization's system administrator before making changes to your computer.
Each electronic service provided by the CRA may require different versions of browsers and operating systems. Visit the following services to see their specific requirements:
This online technical manual provides general information for downloading, installing, and configuring the Microsoft Internet Explorer browser and the Netscape browser for use with CRA services.
When you visit a Web site, it is saved in your computer's memory and your browser's memory in an area called the cache. Your browser should display the Web site quicker the next time you visit because details about the contents, such as images and files, are stored in your cache. Your browser does not need to re-download all of the information about that Web site.
Information stored in the browser’s cache is not encrypted, so clearing the cache helps to ensure the security of your information. After you complete a secure session, you should close and reopen your browser to clear your browser’s cache of session cookies. If you are using Internet Explorer, you should also delete your temporary Internet files, before you close and reopen your browser. If you are using Netscape Navigator, you should clear both your browser’s disk cache and memory cache before you close and reopen your browser.
A cookie is a computer text file sent to a visitor's Web browser (the software used to access the Internet such as Internet Explorer and Netscape) by a Web server (the computer that hosts the Web site) in order to remember certain pieces of information. This can useful for both Web site visitors and Web site operators because it can reduce the amount of time needed to input and process the same information each time a Web site is used.
Only the Web server that originally sent the cookie can read information stored within it. Cookies can store only data that is provided by the server or that is generated by an explicit action by a visitor. They cannot read information from a visitor's hard drive.
Typically, a cookie comprises:
Types of cookies
There are two types of cookies:
Session cookies
These cookies reside on the Web browser and expire as soon as the visitor closes the browser. Session cookies remember information only for as long as the visitor operates the Web browser in a single "session" (or "sitting"). Session cookies can be used by Web site operators to determine information such as what parts of a Web site are popular, how long people stay on certain sections of a Web site, and what browsers are used.
Persistent cookies
In most cases, the CRA does not use persistent cookies. The CRA's My Account service however uses a persistent language cookie to manage client language preferences, and to ensure the integrity of the system. These persistent cookies will not store any identifying data.
Persistent cookies have an expiry date, are stored on a visitor's hard drive, and are read by the visitor's browser each time the visitor visits the Web site that sent the cookie. It is possible for the Web site that created the cookie to extend the expiry date without notice to the visitor. The cookie will remain on the visitor's hard drive until the set date has expired or until the visitor has deleted the file. However, most people do not know how to delete cookies. In addition, the prolonged existence of persistent cookies means they can be used to track Web browsing behaviour and purchasing habits. In some cases, they can also be used to identify a Web visitor when their data is combined with information from other sources, such as databases (for example, matching an IP address with a person's name).
Use of cookies on Government of Canada Web sites
It is the policy of the Government of Canada to inform you about the presence of session and persistent cookies, and how and when they are used. You will find this information by clicking on the Important Notices link at the bottom of the Web pages and then linking to the "Privacy Notice."
Your privacy is also safeguarded under Canada's Privacy Act.
When you conduct a secure online transaction on the CRA Web site that requires personal information, we will notify you, and your browser may be asked to accept a session cookie. This notification is referred to as a "Privacy Notice Statement" and appears on every part of the Web site where personal information is requested.
Most browsers can be set to accept a range of options, from accepting no cookies to accepting only session cookies, to allowing all cookies.
Some browsers can also be configured to alert you before a cookie is to be placed on your machine and ask if you wish to accept it or not.
To determine how you can enable or disable cookies and activate any special alerts, click on the "Help" option in your Web browser toolbar and search the help index using the word "cookies."
There are also inexpensive software programs available that can help you manage your cookies and enable you to easily turn them on or off and to delete them. These features are often part of programs designed to allow easy and safe deletion of applications and files on your computer.
Java applets are little programs that can be downloaded over the Internet and that run with your browser software. They are typically used to customize or add interactive elements to a Web page. We recommend that Java applets be kept on while using our services.
JavaScript is a scripting language that works primarily on Web pages. CRA uses JavaScript to detect browser, browser version, and platform. We recommend that JavaScript be kept on while using our Web services.
Each electronic service provided by the CRA may require different versions of browsers and operating systems. Visit the following services to see their specific requirements:
PKI is a combination of policy and technology that establishes a secure working environment, allowing Internet users to conduct secure electronic transactions. PKI operates using public key cryptography and digital certificates held by each party transmitting over the Internet. This ensures that private information is kept protected from tampering and that the identities of the participants can be guaranteed.
Unlike traditional cryptography that uses an identical key to encrypt and decrypt the message, public key cryptography uses one mathematical formula or algorithm—also called a key—to encrypt data and a second, related mathematical key to decrypt it. A PKI user has two keys: a public key openly accessible to anyone and tied to the digital certificate, and a private key kept secret by its holder. A message that is encrypted with a public key can only be decrypted with the corresponding private key. Using this key system ensures that no one else can view the private key holder's encrypted messages. In the Government of Canada PKI, once you have obtained your key, all you need to remember (and keep secret) is your user ID and password.
More details about PKI are available on the following Web sites:
A certification authority is a trusted party responsible for issuing digital certificates and managing them throughout their lifetime. The management of digital certificates includes their centralized creation, distribution, renewal, and revocation. The certification authority certifies the identity of the holder and publishes up-to-date lists of public keys.
In the Government of Canada PKI, this authority is split between two organizations to provide an additional layer of protection for your information. One central organization issues the PKI keys and manages their creation, distribution, renewal, and revocation for all government departments. However, the certificate held centrally contains only a Meaningless But Unique Number (MBUN)-not your identity. Each department that uses PKI will authenticate you, and only that department will know the relationship between your MBUN and your real identity. You can choose to have one certificate for all your dealings with the Government of Canada or one certificate for each department.
A digital certificate is an electronic credential that verifies the identity of its holder. The digital certificate is issued by a certification authority and contains information on the identity of the holder. It cannot be forged. The digital certificate ties the holder's identity to a public key. Digital certificates are critical tools for the secure and trusted use of electronic networks, as they enable protected information to be sent, received, and accessed securely. If a digital certificate is suspected of being compromised, it is revoked.
A digital signature is a type of electronic identification that can confirm the identity of the sender of a message, whether the message is encrypted or not. Digital signatures can only be generated by the signer. They can be verified, are tamperproof, cannot be forged or repudiated, and ensure that the information contained in the message is not changed during transmission.
To use the CRA epass services, you need a Government of Canada epass, a service that uses PKI. This gives Canadians the ability to obtain state-of-the-art secure electronic services from any Internet terminal in the world, using the convenience of a user ID and password. When registering for an epass (by providing your personal information and entering your CRA activation code), you get a unique electronic credential that gives you access to online government programs and services that require enhanced security measures, including secure digital signatures.