04-10-2014 08:24 AM - edited 04-10-2014 08:26 AM
hello again Yank - but are the Symantec main site and this community forum Open-SSL sites? Do we need to change our passwords?
04-10-2014 09:19 AM - edited 04-10-2014 09:54 AM
I had a chat session with Symantec. It was repeatedly said to me is that only Web sites are affected by Heart Bleed bug but that the login information/password I use to access the servers housing my Identity Safe information was/is not affected.
I am no expert in this area but was not reassured by the chat discussion. Does the point about affecting only Web sites make sense to those of you who understand Open SSL and the capabilities of the Heart Bleed bug?
PS: I hope the forum administrator will respond or, better yet, Symantec will issue a clear statement for us non-experts, about whether there is/was a potential leakage of the password used to access the Identity Safe servers through the login box for Idenity Safe. Yes or no!
Symantec/Norton removed the option to store my Identity safe passwords on my personal computer and has now left me wondering whether my information is safe in its cloud servers.
04-10-2014 10:37 AM - edited 04-10-2014 10:38 AM
04-10-2014 02:05 PM
LastPass has actively assesed the user sites for their registered passwords listing in a spreadsheet form the name of the site, the age of the password, whether the site certificate has been updated and the recommended action for the Heartbleed issue.
Why doesn't Norton Identity Safe do the same for its users?
04-10-2014 02:34 PM
AMEN!...And Last Pass has offered a description of how one's primary password (into Last Pass) is encrypted on your local machine and, according to Last Pass, should not be affected by Heart Bleed.
Too bad that a huge company such as Symantec, can't do the same. Or is it that it really can't offer the same assurance?
04-14-2014 03:58 PM - edited 04-14-2014 03:59 PM
Interesting that there is no information about Identity Safe, NIS, NAV or Norton 360
Hmm... Interesting that there's a double entry for Identity Safe... Is that a mistake? And vexing too that Identity Safe would even be listed as susceptible. Especially considering the statements made by Norton nearly two years ago in the Norton Protection Blog; specifically the blog located here:
which contains (among other claims,) the following set of statements:
"... The Online Vault is Secure.
- Norton uses 256bit AES encryption to encrypt the data. This is a leading industry standard for encryption.
- Using a very “strong” password is mandatory when creating an online vault – not just encouraged.
- On the server side, Norton has security zones and firewalls between each zone to make sure only intended traffic is allowed access.
- Encrypted vaults on PC, Mac, and Mobile clients are only ever decrypted on your local computer, never at Norton facilities, so no Symantec employee ever has access to any vault data.
- Vault contents are encrypted both in transit as well as at Norton data centers to ensure that no one can access a user’s data via a “man-in-the-middle” attack. ..."
Which (to me) virtually guarantees that the vault data remains hard-encrypted at all times while it is located anywhere other than on the user's local computer or device.
So why is there a concern being flagged - and twice at that?