TrueCrypt may not be secure

Recently, I posted three articles of a four-part series showing how to encrypt an external drive with TrueCrypt on Fedora 20. As-of today, May 28th, TrueCrypt may not be secure after-all.

The truecrypt.org website now redirects to truecrypt.sourceforge.net. A warning is displayed that reads, “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues” and it directs users to alternative encryption packages for Windows, Mac, and Linux.

20140528_001

Ars Technica, Hacker News, and The Register have a good articles, so I won’t repeat everything they’re saying. Initially, it appeared that the TrueCrypt website was hacked. However, in addition to the website updates, new binaries were released that display warnings like INSECURE_APP when users try to encrypt data. The binaries, however, are signed with the developer’s key. In addition, a Wikipedia user named Truecrypt-end attempted to update the Wikipedia page with the same messages, but it was rejected by moderators. TrueCrypt was recently going through an independent security audit, and it passed Phase 1 in April. However, this doesn’t seem to be related.

A thread on r/crypto offers up a couple explanations:

  1. The website was hacked, and the keys are presumed to be compromised. The last working version is 7.1a and version 7.2 is a hoax/malware/spam
  2. Something bad happened to the developers (Lava-bit style extortion or major bug/flaw found in code) and this version is legitimate

We’ll have to see how this one plays out.

-Logan

Leave a Comment