Difference between revisions of "TrueCrypt"
(fix about license) |
m (Text replacement - " backdoor" to " backdoor") |
||
(4 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
{{concept | {{concept | ||
− | |||
|image=TrueCrypt.jpg | |image=TrueCrypt.jpg | ||
|type=technology | |type=technology | ||
|website=http://truecrypt.sourceforge.net | |website=http://truecrypt.sourceforge.net | ||
|constitutes=software, encryption | |constitutes=software, encryption | ||
− | |description=Widely praised disk encryption software, abruptly discontinued in 2015. Version 7. | + | |description=Widely praised disk encryption software, abruptly discontinued in 2015. Version 7.1a (''not'' 7.2) is the latest fully functional version. |
+ | |wikipedia=https://en.wikipedia.org/wiki/TrueCrypt | ||
+ | |start=2004-02 | ||
}} | }} | ||
==Sudden discontinuation== | ==Sudden discontinuation== | ||
− | The software's [[Sourceforge]] page was abruptly edited in May 2015, to begin with the following red warning:{{QB|{{RED|WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.}}}} | + | The software's [[Sourceforge]] page was abruptly edited in May 2015, to begin with the following red warning:{{QB|{{RED|WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.}}}} Since it is proprietary, closed-source software, the site's recommendation to switch to [[Microsoft]]'s BitLocker makes no sense at all, and so some have interpreted it as an indication that the developers had been pressurised but prohibited from directly stating so, i.e. as a [[warrant canary]].<ref>http://truecrypt.sourceforge.net/</ref> |
− | <ref>http://truecrypt.sourceforge.net/</ref> | ||
===Warrant Canary?=== | ===Warrant Canary?=== | ||
− | Some speculated that "<u>n</u>ot <u>s</u>ecure <u>a</u>s" may be a coded reference to the [[National Security Agency]].<ref>https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html</ref> This was followed up by the observation that the whole phrase may contain a hidden acronym: "<u>U</u>sing <u>T</u>rueCrypt <u>i</u>s <u>n</u>ot <u>s</u>ecure <u>a</u>s <u>i</u>t <u>m</u>ay <u>c</u>ontain <u>u</u>nfixed <u>s</u>ecurity <u>i</u>ssues" ~ Uti NSA im | + | Some speculated that "<u>n</u>ot <u>s</u>ecure <u>a</u>s" may be a coded reference to the [[National Security Agency]].<ref>https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html</ref> This was followed up by the observation that the whole phrase may contain a hidden acronym: "<u>U</u>sing <u>T</u>rueCrypt <u>i</u>s <u>n</u>ot <u>s</u>ecure <u>a</u>s <u>i</u>t <u>m</u>ay <u>c</u>ontain <u>u</u>nfixed <u>s</u>ecurity <u>i</u>ssues" ~ "Uti NSA im cu si". The language and meaning of this is debated, but many interpret it as a [[warrant canary]].<ref>https://www.livebusinesschat.com/smf/index.php?topic=5629.0</ref><ref>http://www.reddit.com/r/conspiracy/comments/289070/hidden_message_on_the_new_sourceforge_truecrypt/</ref> |
==Legal status== | ==Legal status== | ||
Line 18: | Line 18: | ||
==Security== | ==Security== | ||
− | TrueCrypt Version 7.1a was the last fully featured software. (7.2 was released only to encourage users to decrypt existing volumes.) In April 2015, TrueCrypt Version 7.1a successfully passed the second phase of a security audit, finding "no evidence of deliberate | + | TrueCrypt Version 7.1a was the last fully featured software. (7.2 was released only to encourage users to decrypt existing volumes.) In April 2015, TrueCrypt Version 7.1a successfully passed the second phase of a security audit, finding "no evidence of deliberate [[backdoor]]s, or any severe design flaws that will make the software insecure in most instances."<ref>https://opencryptoaudit.org/</ref><ref>http://blog.cryptographyengineering.com/2015/04/truecrypt-report.html</ref> Mirrors of the truecrypt download page quickly appeared. GRC reports that [[Google]] were generating false-positive malware infection warnings about their mirror download page.<ref>https://www.grc.com/misc/truecrypt/truecrypt.htm</ref> |
===Bug reports=== | ===Bug reports=== |
Latest revision as of 15:52, 27 August 2019
TrueCrypt (software, encryption) | |
---|---|
Type | technology |
Start | 2004-02 |
Widely praised disk encryption software, abruptly discontinued in 2015. Version 7.1a (not 7.2) is the latest fully functional version. |
Contents
Sudden discontinuation
The software's Sourceforge page was abruptly edited in May 2015, to begin with the following red warning:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.
Since it is proprietary, closed-source software, the site's recommendation to switch to Microsoft's BitLocker makes no sense at all, and so some have interpreted it as an indication that the developers had been pressurised but prohibited from directly stating so, i.e. as a warrant canary.[1]
Warrant Canary?
Some speculated that "not secure as" may be a coded reference to the National Security Agency.[2] This was followed up by the observation that the whole phrase may contain a hidden acronym: "Using TrueCrypt is not secure as it may contain unfixed security issues" ~ "Uti NSA im cu si". The language and meaning of this is debated, but many interpret it as a warrant canary.[3][4]
Legal status
The code had a non-standard open source licence, and did allow derivative products, although the developers later commented discouraging this practice. It has been forked by other developers and the original code is being treated as abandonware. Perhaps the most notable fork is VeraCrypt.
Security
TrueCrypt Version 7.1a was the last fully featured software. (7.2 was released only to encourage users to decrypt existing volumes.) In April 2015, TrueCrypt Version 7.1a successfully passed the second phase of a security audit, finding "no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances."[5][6] Mirrors of the truecrypt download page quickly appeared. GRC reports that Google were generating false-positive malware infection warnings about their mirror download page.[7]
Bug reports
It was reported in September 2015 that James Forshaw had found two bugs in the software, named CVE-2015-7358 and CVE-2015-7359, of which the former was "critical". Details of the bugs were not immediately released, but Forshaw advised switching to a forked version of the code, VeraCrypt.[8]
References
- ↑ http://truecrypt.sourceforge.net/
- ↑ https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html
- ↑ https://www.livebusinesschat.com/smf/index.php?topic=5629.0
- ↑ http://www.reddit.com/r/conspiracy/comments/289070/hidden_message_on_the_new_sourceforge_truecrypt/
- ↑ https://opencryptoaudit.org/
- ↑ http://blog.cryptographyengineering.com/2015/04/truecrypt-report.html
- ↑ https://www.grc.com/misc/truecrypt/truecrypt.htm
- ↑ http://www.pcworld.com/article/2987439/encryption/newly-found-truecrypt-flaw-allows-full-system-compromise.html