How does this affect TeamDrive and your data?
The TeamDrive Client uses cryptographic functions provided by OpenSSL to perform local AES-256 encryption of your data before it is transmitted to a TeamDrive Server. Because the data has already been encrypted locally, the TeamDrive Client-Server communication does not establish an additional secure communication channel via SSL/TLS - this reduces the overhead and makes it easier to propagate data through proxy servers. Therefore we're not affected by this vulnerability here, as it only affects secure communication channels established via SSL/TLS.
However, there are two scenarios in which the TeamDrive Client establishes SSL connections:
- If you need to access TeamDrive Spaces hosted on an SSL-enabled WebDAV server
- If you publish versions of a file on a TeamDrive Host Server that has SSL enabled for publishing (this requires a TeamDrive Professional Client license). Publishing via SSL is currently not enabled on the host servers of our public TeamDrive cloud, but may be enabled on TeamDrive Host Servers that you manage on your own premises.
The TeamDrive Client's version of OpenSSL depends on the client version and platform. With the exception of Mac OS X and Windows, our Clients have been built against a bundled version of OpenSSL, which is currently at version 1.0.1 for the latest builds. We'll be releasing updated clients shortly to fix this bug.
By Lenz Grimmer
And yet, the account is created on the website, so the account itself is still vulnerable.
Users can create accounts from within the client, without ever using the web login. Our Website was not effected by the Open SSL heardbleed vulnerability. We where lucky in that case.
But in general the TeamDrive authentication and messaging service is completely separated from the hosting services. And as described in the blog, all data is AES-256 end to end encrypted and we do not need and are not using SSL security to ensure highest privacy and security.
Post a Comment