Thursday, October 29, 2015

Suspicious TrueCrypt Announcement Declares The Tool Insecure, Development Stopped

TrueCrypt was an application which could be used to create virtual encrypted disks within a file or encrypt entire partitions or storage devices. I said "was" because Truecrypt's homepage started redirecting to its SourceForge page and a warning is displayed at the top of the page:

"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

This page exists only to help migrate existing data encrypted by TrueCrypt.

The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform
".

And then, the page goes on, explaining how to migrate your data from TrueCrypt to BitLocker.

On a first look, this doesn't seem legit because of the redirection (why not change its homepage?), the message (if there are security issues, why not fix them or at least try to? - also, a recent security audit didn't reveal major issues though more audits were pending) and because of the alternative the page recommends: BitLocker, a proprietary full disk encryption feature included with Windows, which poses quite a few security concerns itself.


The TrueCrypt SourceForge page now hosts a new version of TrueCrypt which contains warnings that the program isn't safe to use. Also, the application was changed so that it allows users to decrypt data but not to create new volumes.

There are various speculations as to what actually happened with TrueCrypt, including scenarios in which the NSA had pressured the developers into doing this or that they've refused to add NSA backdoors. On the other hand, Matthew Green, a professor specializing in cryptography at Johns Hopkins University and one of the people that worked on the TrueCrypt audit, says that he thinks this is legit.

Here are some interesting articles / comments on this topic:

What do you think?

No comments:

Post a Comment