How does this affect TeamDrive and your data?
The TeamDrive Client uses cryptographic functions provided by OpenSSL to perform local AES-256 encryption of your data before it is transmitted to a TeamDrive Server. Because the data has already been encrypted locally, the TeamDrive Client-Server communication does not establish an additional secure communication channel via SSL/TLS - this reduces the overhead and makes it easier to propagate data through proxy servers. Therefore we're not affected by this vulnerability here, as it only affects secure communication channels established via SSL/TLS.
However, there are two scenarios in which the TeamDrive Client establishes SSL connections:
- If you need to access TeamDrive Spaces hosted on an SSL-enabled WebDAV server
- If you publish versions of a file on a TeamDrive Host Server that has SSL enabled for publishing (this requires a TeamDrive Professional Client license). Publishing via SSL is currently not enabled on the host servers of our public TeamDrive cloud, but may be enabled on TeamDrive Host Servers that you manage on your own premises.
The TeamDrive Client's version of OpenSSL depends on the client version and platform. With the exception of Mac OS X and Windows, our Clients have been built against a bundled version of OpenSSL, which is currently at version 1.0.1 for the latest builds. We'll be releasing updated clients shortly to fix this bug.
By Lenz Grimmer