TrueCrypt

From Wikispooks
Revision as of 07:11, 4 October 2015 by Robin (talk | contribs) (2 Bugs reported in TC7.1a)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Concept.png TrueCrypt
(software,  encryption)Rdf-entity.pngRdf-icon.png
TrueCrypt.jpg
Typetechnology
Widely praised disk encryption software, abruptly discontinued in 2015. Version 7.1 (not 7.2) is the latest fully functional version.

Sudden discontinuation

The software's Sourceforge page was abruptly edited in May 2015, to begin with the following red warning:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.

since it is proprietary, closed-source software, the site's recommendation to switch to Microsoft's BitLocker

[1]

Warrant Canary?

Some speculated that "not secure as" may be a coded reference to the National Security Agency.[2] This was followed up by the observation that the whole phrase may contain a hidden acronym: "Using TrueCrypt is not secure as it may contain unfixed security issues" ~ Uti NSA im cusi. The meaning of this is debated, as well as the language, but it is generaly understood as a warrant canary.[3][4]

Legal status

The code had a non-standard open source licence, and did not allow derivative products. It has been forked by other developers and the original code is being treated as abandonware. Perhaps the most notable fork is VeraCrypt.

Security

TrueCrypt Version 7.1a was the last fully featured software. (7.2 was released only to encourage users to decrypt existing volumes.) In April 2015, TrueCrypt Version 7.1a successfully passed the second phase of a security audit, finding "no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances."[5][6] Mirrors of the truecrypt download page quickly appeared. GRC reports that Google were generating false-positive malware infection warnings about their mirror download page.[7]

Bug reports

It was reported in September 2015 that James Forshaw had found two bugs in the software, named CVE-2015-7358 and CVE-2015-7359, of which the former was "critical". Details of the bugs were not immediately released, but Forshaw advised switching to a forked version of the code, VeraCrypt.[8]

Many thanks to our Patrons who cover ~2/3 of our hosting bill. Please join them if you can.


References