Independent encryption software TrueCrypt is apparently not as secure as many thought. Yesterday (May 28), the TrueCrypt homepage was suddenly replaced with a notification that read "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues."
TrueCrypt is used by many security-minded people, including NSA whistleblower Edward Snowden, to turn a storage device, such as a flash drive or hard drive or a partition of such a device, into an encrypted volume, protecting the documents stored in that volume from prying eyes.
But TrueCrypt's creators never revealed their true identity, which caused others to be skeptical of its integrity. TrueCrypt was recently the subject of an independent security audit examining TrueCrypt's code for flaws, bugs or backdoors.
TrueCrypt's abrupt warning was accompanied by instructions for how to transfer TrueCrypt-encrypted files to BitLocker, the Microsoft-owned service built into Microsoft Vista Ultimate and Enterprise, Windows 7 Ultimate and Enterprise, and Windows 8 Pro and Enterprise versions.
The warning suggested that TrueCrypt was intended to be used on Windows XP, Microsoft's earlier operating system, which lacks a built-in encryption option.
"The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP," the warning read. "Windows 8/7/Vista and later offered integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms."
But the TrueCrypt software had versions for the more recent Windows operating systems, as well as for Mac OS X, Linux and Android (the latter via third-party apps). Many security-minded people valued TrueCrypt for its perceived independence from major software companies, even though the creators' identities were never revealed.
Some have speculated that TrueCrypt may have been pressured to close down in the face of government scrutiny, as encrypted-email service Lavabit was in 2013.
Others suggested that TrueCrypt's website might have just been hacked, or defaced as part of a prank. But independent security expert Brian Krebs says that appears unlikely; he looked at the site's records and found "no substantive changes recently" to its hosting, DNS or WHOIS records.
It seems to be that the mysterious people behind TrueCrypt simply decided to end the project.
"Whether hoax, hack or genuine end-of-life for TrueCrypt, it's clear that no security-consciuous users are going to feel comfortable trusting the software after this debacle," wrote independent security expert Graham Cluley on his blog. "It's time to start looking for an alternative way to encrypt your files and hard drive."
So could the fact that it was being audited have anything to do with TrueCrypt shutting down? The first round of the audit, which looked at TrueCrypt's bootloader, found it to be secure. The next round, to be completed this summer, was to examine the cryptography used in the software.
The organizer of the TrueCrypt audit was Matthew Green, a security expert and cryptography professor at Johns Hopkins University in Baltimore, Maryland.
"Last I heard from Truecrypt: 'We are looking forward to results of phase 2 of your audit. Thank you very much for all your efforts again!'" Green tweeted today.
Green says the audit will continue. He also suggested that other independent cryptographers might be able to continue the TrueCrypt developers' work, but the product's ambiguously worded license will probably make that difficult.
"I was starting to have warm and fuzzy feelings about the code, thinking [the developers] were just nice guys who didn’t want their names out there," Green told Krebs in an interview on the latter's blog. "But now this decision makes me feel like they’re kind of unreliable. Also, I’m a little worried that the fact that we were doing an audit of the crypto might have made them decide to call it quits."
Until more is revealed, TrueCrypt users should probably stop using the software.