Prime Factors Blog

Real or Hoax, TrueCrypt Insecure Warning Annoucement on Web Page Erodes Trust

Posted by Jeff Cherrington on May 29, 2014 12:00:00 PM

Yesterday (May 28, 2014), an announcement appeared on the SourceForge page for the TrueCrypt open source cryptographic library. It still shows today, in alarm red font: “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues”. I waited a day to comment, as the warning appeared with such a lack of fanfare or pre-staging that many of us suspected it might ‘only’ be a case of website hijack and cyber vandalism. 

Now, opinions are coming in, and the announcement is looking less and less like a hoax, without any real explanations for its abrupt appearance emerging. The warning statement goes on to say that development has ended as of this month, aligned with Microsoft’s support for Windows XP, which only increases consternation as the open source can (could?) be used on Apple® OS X® and Linux®. For all operating systems, the TrueCrypt pages are providing direction that the source should only be downloaded “…if you are migrating data encrypted by TrueCrypt.” The most telling indicator that this may not be vandalism is that the source and binaries available for download are now significantly changed, and the source is thick with changes and comments such as “INSECURE_APP” – plus, the compiled app available for download will only decrypt and does not encrypt.

Others are writing on this, as must be expected. Find good analysis in James Lyne’s article for Forbes and, naturally, Brian Krebs has weighed in with his thoughts.

The dust still hangs in the air on this announcement and its origins. Still, real or fake, its existence casts serious suspicion on the integrity of TrueCrypt across the board. A good friend, Joe Sturonas, long familiar with encryption, web site integrity, and open source, phrased it better than I could have “…this will be a long time to get sorted out and trusted again [if ever]. Funny, with security software, you are only as secure as your website.” Wise words for all of us in data protection roles…