TrueCrypt
TrueCrypt (software, encryption) | |
---|---|
Type | technology |
Widely praised disk encryption software, abruptly discontinued in 2015. Version 7.1a (not 7.2) is the latest fully functional version. |
Contents
Sudden discontinuation
The software's Sourceforge page was abruptly edited in May 2015, to begin with the following red warning:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.
since it is proprietary, closed-source software, the site's recommendation to switch to Microsoft's BitLocker
Warrant Canary?
Some speculated that "not secure as" may be a coded reference to the National Security Agency.[2] This was followed up by the observation that the whole phrase may contain a hidden acronym: "Using TrueCrypt is not secure as it may contain unfixed security issues" ~ Uti NSA im cusi. The meaning of this is debated, as well as the language, but it is generaly understood as a warrant canary.[3][4]
Legal status
The code had a non-standard open source licence, and did allow derivative products, although the developers later commented discouraging this practice. It has been forked by other developers and the original code is being treated as abandonware. Perhaps the most notable fork is VeraCrypt.
Security
TrueCrypt Version 7.1a was the last fully featured software. (7.2 was released only to encourage users to decrypt existing volumes.) In April 2015, TrueCrypt Version 7.1a successfully passed the second phase of a security audit, finding "no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances."[5][6] Mirrors of the truecrypt download page quickly appeared. GRC reports that Google were generating false-positive malware infection warnings about their mirror download page.[7]
Bug reports
It was reported in September 2015 that James Forshaw had found two bugs in the software, named CVE-2015-7358 and CVE-2015-7359, of which the former was "critical". Details of the bugs were not immediately released, but Forshaw advised switching to a forked version of the code, VeraCrypt.[8]
References
- ↑ http://truecrypt.sourceforge.net/
- ↑ https://www.schneier.com/blog/archives/2014/05/truecrypt_wtf.html
- ↑ https://www.livebusinesschat.com/smf/index.php?topic=5629.0
- ↑ http://www.reddit.com/r/conspiracy/comments/289070/hidden_message_on_the_new_sourceforge_truecrypt/
- ↑ https://opencryptoaudit.org/
- ↑ http://blog.cryptographyengineering.com/2015/04/truecrypt-report.html
- ↑ https://www.grc.com/misc/truecrypt/truecrypt.htm
- ↑ http://www.pcworld.com/article/2987439/encryption/newly-found-truecrypt-flaw-allows-full-system-compromise.html