Wednesday, April 9, 2014

TeamDrive and the Heartbleed OpenSSL bug - Is my Data Secure?

In case you have not heard about it yet, a rather nasty security vulnerability in the Open Source cryptographic library OpenSSL has been discovered. Dubbed "Heartbleed", it can result in unwanted information disclosure on both ends of a communication channel that is encrypted with SSL/TLS (for more details, check the dedicated web site about this issue at

 How does this affect TeamDrive and your data?

The TeamDrive Client uses cryptographic functions provided by OpenSSL to perform local AES-256 encryption of your data before it is transmitted to a TeamDrive Server. Because the data has already been encrypted locally, the TeamDrive Client-Server communication does not establish an additional secure communication channel via SSL/TLS - this reduces the overhead and makes it easier to propagate data through proxy servers. Therefore we're not affected by this vulnerability here, as it only affects secure communication channels established via SSL/TLS.

However, there are two scenarios in which the TeamDrive Client establishes SSL connections:

  • If you need to access TeamDrive Spaces hosted on an SSL-enabled WebDAV server 
  • If you publish versions of a file on a TeamDrive Host Server that has SSL enabled for publishing (this requires a TeamDrive Professional Client license). Publishing via SSL is currently not enabled on the host servers of our public TeamDrive cloud, but may be enabled on TeamDrive Host Servers that you manage on your own premises.
 In both cases, the client will establish an SSL connection to the server, thus making it potentially vulnerable to this particular bug, if the server has been taken over by a malicious user. However, the server itself would have to be compromised beforehand and modified in such a way that it can be used to exploit this vulnerability. Simply running a server with an affected OpenSSL library does not automatically lead to any information disclosure here, but may provide a potential attack vector for gaining access to the server.
The TeamDrive Client's version of OpenSSL depends on the client version and platform. With the exception of Mac OS X and Windows, our Clients have been built against a bundled version of OpenSSL, which is currently at version 1.0.1 for the latest builds. We'll be releasing updated clients shortly to fix this bug.

By Lenz Grimmer


John D Carmack said...

And yet, the account is created on the website, so the account itself is still vulnerable.

TeamDrive said...

Users can create accounts from within the client, without ever using the web login. Our Website was not effected by the Open SSL heardbleed vulnerability. We where lucky in that case.
But in general the TeamDrive authentication and messaging service is completely separated from the hosting services. And as described in the blog, all data is AES-256 end to end encrypted and we do not need and are not using SSL security to ensure highest privacy and security.