Is Norton Identity Safe affected by Heart Bleed bug? Has there been any statement from Symantec?
Here's an article from Symantec:
hello again Yank - but are the Symantec main site and this community forum Open-SSL sites? Do we need to change our passwords?
I had a chat session with Symantec. It was repeatedly said to me is that only Web sites are affected by Heart Bleed bug but that the login information/password I use to access the servers housing my Identity Safe information was/is not affected.
I am no expert in this area but was not reassured by the chat discussion. Does the point about affecting only Web sites make sense to those of you who understand Open SSL and the capabilities of the Heart Bleed bug?
PS: I hope the forum administrator will respond or, better yet, Symantec will issue a clear statement for us non-experts, about whether there is/was a potential leakage of the password used to access the Identity Safe servers through the login box for Idenity Safe. Yes or no!
Symantec/Norton removed the option to store my Identity safe passwords on my personal computer and has now left me wondering whether my information is safe in its cloud servers.
@Tony_Weiss @Tim_Lopez @Mohan_G
Any comment in simple, easy to understand terminology for us less tech savy users would certainly be appreciated.
To change all, some or none of our passwords? How safe is ID safe Data - etc everyone (including me) seems confused and wondering.
LastPass has actively assesed the user sites for their registered passwords listing in a spreadsheet form the name of the site, the age of the password, whether the site certificate has been updated and the recommended action for the Heartbleed issue.
Why doesn't Norton Identity Safe do the same for its users?
AMEN!...And Last Pass has offered a description of how one's primary password (into Last Pass) is encrypted on your local machine and, according to Last Pass, should not be affected by Heart Bleed.
Too bad that a huge company such as Symantec, can't do the same. Or is it that it really can't offer the same assurance?
Symantec has published a heart bleed vulnerability update site, with a link to matrix of products.
Interesting that there is no information about Identity Safe, NIS, NAV or Norton 360
Krusty13 wrote:Interesting that there is no information about Identity Safe, NIS, NAV or Norton 360
Hmm... Interesting that there's a double entry for Identity Safe... Is that a mistake? And vexing too that Identity Safe would even be listed as susceptible. Especially considering the statements made by Norton nearly two years ago in the Norton Protection Blog; specifically the blog located here:
which contains (among other claims,) the following set of statements:
"... The Online Vault is Secure.
- Norton uses 256bit AES encryption to encrypt the data. This is a leading industry standard for encryption.
- Using a very “strong” password is mandatory when creating an online vault – not just encouraged.
- On the server side, Norton has security zones and firewalls between each zone to make sure only intended traffic is allowed access.
- Encrypted vaults on PC, Mac, and Mobile clients are only ever decrypted on your local computer, never at Norton facilities, so no Symantec employee ever has access to any vault data.
- Vault contents are encrypted both in transit as well as at Norton data centers to ensure that no one can access a user’s data via a “man-in-the-middle” attack. ..."
Which (to me) virtually guarantees that the vault data remains hard-encrypted at all times while it is located anywhere other than on the user's local computer or device.
So why is there a concern being flagged - and twice at that?
my understanding is that the Vault (Norton Identity Safe) is protection for detection of keystrokes.
Wouldnt that mean that all the sites set up within the Vault are still vulnerable since Heartbleed isn't a keystroke detection issue, its a site access/security vulnerability issue.
The sites, although housed in the Vault, still exist as a URL and those URL's are still being accessed... just by other means/a different way.
'course, it'd be moot if NIS/Vault is compromised itself per the results yielded by Krusty13?
As long as the vulnerable version of OpenSSL is patched at each site, those sites would no longer be putting your password at risk. Most sites have the patch in place at this point.
I am still confused. If I used Identity Safe the majority of the time to log in to web sites in the past "heartbleed" period, do I need to change ANY passwords? Also I used the "Local Vault" option so the passwords and logins were not stored in the cloud - if that makes any difference.
I also agree with one of the other contributors that it would be more than appropriate for Norton to put out a very clear simplified statement to ALL REGISTERED USERS via email (not just on Community Forums) as to exactly what we have to do regarding this "heartbleed bug". Many Norton users have never visited the Forums and wouldn't have any idea on how to even try to get to the Forums. They just turn their PC on and expect it to work. They are lucky if they can even install a program such as Norton, much less contact/contribute to the forums.
Heartbleed allowed passwords to be stolen from server memory at the website - it has nothing to do with where you store your passwords or whether you use a password manager to log on. If you accessed a vulnerable site using a password, that password was potentially at risk. I say potentially, because it isn't known if there were any exploits of this bug prior to it being publicized in the last couple of weeks. The hole existed for two years, but it is possible that nobody knew about it. So, for safety sake, we assume the worst, and the prudent thing to do is to check the websites that you use, and if they were at risk, you should change your password.
Also, Norton did send out an email.
There are currently 4 users online.