The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

May/14

29

Do you need to replace TrueCrypt immediately?

Truecrypt flurry icon by flakshack d4jjwdo

For years, TrueCrypt has been the gold standard open source whole disk encryption solution. Now there is a disturbing announcement on the TrueCrypt website. Right at the top it says “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”.

The rest of the page has been changed to a notice that development on TrueCrypt stopped this May, and directions for migrating from TrueCrypt to BitLocker, the disk encryption tool built in to Windows. Of course, this is of little help to anyone using TrueCrypt on Mac or Linux. It is still possible to download TrueCrypt from the site, but the code now will not create new vaults, and warns users to migrate to a new platform.

There are certainly alternatives, but this is a real shock. On Mac, one could always use the built in FileVault tool. Linux users may have a harder time finding a good replacement. 

The big question is, what the heck is actually going on here. This is all far too cryptic, with no where near enough actual information to draw intelligent conclusions.

A recent independent audit of TrueCrypt discovered “no evidence of backdoors or otherwise intentionally malicious code in the assessed areas.”

There are a number of theories about what is going on ranging from credulous to paranoid.

  • Like Lavabit, they received a National Security Letter requiring compromise of the code. This is their way of resisting without violating the gag order.
  • They have been taken over by the government, and they are trying to force everyone to move to a less secure / more compromised solution.
  • There really is a gigantic hole in the code. Releasing a fix would tell attackers the exact nature of the vulnerability, which most people would take a very long time to address. Having everyone migrate is the safest solution.
  • Some personal conflict within the TrueCrypt developers is leading to a “take my ball and go home” action.
  • The developers only cared about protecting windows users with XP or earlier, which did not have the built in disk encryption. Now that XP support has ended, they don’t feel it is valuable any more. This is suggested by the full wording of the announcement.
  • The website or one of the developer’s computers was compromised, and this is a hack / hoax.

The whole thing is really odd, and it is not yet obvious what the best course of action might be.

The safest option appears to be to remove TrueCrypt, and replace it with some other solution, either one that is built in to the OS, or from a third party.

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.

· ·

1 comment

  • Dave Howe · June 7, 2014 at 12:20 am

    The main take-home point is that nobody knows yet.

    The audit guys have been paid already, so will be completing their audit, and once that is done, we will know if there is a remediable flaw in the code (in which case, a fork will be required to fix it), an irremediable flaw (in which case, you will need to move to something else) or no security-affecting flaws at all, at which point you are good to stay with 7.1a for a while yet.

    Without a fork, this will clearly not be a long-term viable solution, but at least three different groups have stepped up to the plate there already (plus of course the original team may resume work, if the alternative is for someone else to take over) so unless there is a flaw so terrible that no amount of remedial work could fix it (and we need to build a replacement for TC from the ground up) there are good hopes for a long term future for TC, under whatever name it finally emerges from its ashes…

Leave a Reply

<<

>>