Independent encryption software TrueCrypt is apparently not as secure as many thought. Yesterday (May 28), the TrueCrypt homepage was suddenly replaced with a notification that read "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues."
TrueCrypt is used by many security-minded people, including NSA whistleblower Edward Snowden, to turn a storage device, such as a flash drive or hard drive or a partition of such a device, into an encrypted volume, protecting the documents stored in that volume from prying eyes.
But TrueCrypt's creators never revealed their true identity, which caused others to be skeptical of its integrity. TrueCrypt was recently the subject of an independent security audit examining TrueCrypt's code for flaws, bugs or backdoors.
MORE: Best PC Antivirus Software 2014
TrueCrypt's abrupt warning was accompanied by instructions for how to transfer TrueCrypt-encrypted files to BitLocker, the Microsoft-owned service built into Microsoft Vista Ultimate and Enterprise, Windows 7 Ultimate and Enterprise, and Windows 8 Pro and Enterprise versions.
The warning suggested that TrueCrypt was intended to be used on Windows XP, Microsoft's earlier operating system, which lacks a built-in encryption option.
"The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP," the warning read. "Windows 8/7/Vista and later offered integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms."
But the TrueCrypt software had versions for the more recent Windows operating systems, as well as for Mac OS X, Linux and Android (the latter via third-party apps). Many security-minded people valued TrueCrypt for its perceived independence from major software companies, even though the creators' identities were never revealed.
Some have speculated that TrueCrypt may have been pressured to close down in the face of government scrutiny, as encrypted-email service Lavabit was in 2013.
Others suggested that TrueCrypt's website might have just been hacked, or defaced as part of a prank. But independent security expert Brian Krebs says that appears unlikely; he looked at the site's records and found "no substantive changes recently" to its hosting, DNS or WHOIS records.
It seems to be that the mysterious people behind TrueCrypt simply decided to end the project.
"Whether hoax, hack or genuine end-of-life for TrueCrypt, it's clear that no security-consciuous users are going to feel comfortable trusting the software after this debacle," wrote independent security expert Graham Cluley on his blog. "It's time to start looking for an alternative way to encrypt your files and hard drive."
So could the fact that it was being audited have anything to do with TrueCrypt shutting down? The first round of the audit, which looked at TrueCrypt's bootloader, found it to be secure. The next round, to be completed this summer, was to examine the cryptography used in the software.
The organizer of the TrueCrypt audit was Matthew Green, a security expert and cryptography professor at Johns Hopkins University in Baltimore, Maryland.
"Last I heard from Truecrypt: 'We are looking forward to results of phase 2 of your audit. Thank you very much for all your efforts again!'" Green tweeted today.
Green says the audit will continue. He also suggested that other independent cryptographers might be able to continue the TrueCrypt developers' work, but the product's ambiguously worded license will probably make that difficult.
"I was starting to have warm and fuzzy feelings about the code, thinking [the developers] were just nice guys who didn’t want their names out there," Green told Krebs in an interview on the latter's blog. "But now this decision makes me feel like they’re kind of unreliable. Also, I’m a little worried that the fact that we were doing an audit of the crypto might have made them decide to call it quits."
Until more is revealed, TrueCrypt users should probably stop using the software.
Email firstname.lastname@example.org or follow her @JillScharr and Google+. Follow us @TomsGuide, on Facebook and on Google+.
2. A last attempt to conceal the real creators behind it (NSA), after convincingly posing as the one independent encryption solution; now that the audit is getting uncomfortably close to the people behind it the last resort is to abruptly shut it down.
However, going forward I wouldn't trust TrueCrypt. Even if this was a joke, internal bickering, or a malicious hacker, the trust has already been ruined. These guys are anonymous developers for a reason, the bad part is that anonymity can kill you if something like this happens. Nobody knows who these guys are so any information coming out could be easily proclaimed as being fake from this point on.
Huge hit to the future of Volume based encryption. There aren't a lot out there, let alone ones that are completely free.
My personal take on the matter is that the Truecrypt team has been slowly dissolving since the last version was released two years ago, and the last people maintaining the project has given up on it on a "f*ck it all" way.
In any case, since it's open source it's likely another team will take the baton. Truecrypt is too useful to pass it up, and the initial audit of the software was passed without problems.
Regardless, unless you build it yourself, looks like you can trust nobody.
And yet both of you don't have proof to back up your baseless claims. I work for Fortune 500 company that use Bitlocker and contrary to what you believe, Bitlocker does not have any backdoors. This is because we hire independent security auditor to scrutinize Bitlocker's source code (from time to time), subject to non-disclosure agreement with Microsoft.
What complete BS...