05-29-14 | Blog Post
The development of a widely-used encryption tool appears to have come to an end.
The TrueCrypt page at SourceForge is telling visitors that the open source encryption software “is not secure as it may contain unfixed security issues.” It informs users to not use their software because development ended this month after Microsoft terminated support of Windows XP. It also provides steps to migrate from TrueCrypt to Microsoft’s BitLocker.
Early concern that the message was a hoax or hostile takeover appear to be unfounded. KrebsonSecurity.com reports “a cursory review of the site’s historic hosting, WHOIS and DNS records shows no substantive changes recently.” More from KrebsonSecurity.com:
What’s more, the last version of TrueCrypt uploaded to the site on May 27 shows that the key used to sign the executable installer file is the same one that was used to sign the program back in January 2014 (hat tip to @runasand and @pyllyukko). Taken together, these two facts suggest that the message is legitimate, and that TrueCrypt is officially being retired.
Privacy and security researcher Runa Sandvik told the Washington Post that the recently released updated version of TrueCrypt “contains the same sort of warning as the site” and that encryption abilities are disabled. Kaspersky Lab researcher Costin Raiu confirmed to ThreatPost.com that version 7.2, signed Tuesday, used the same key used by the TrueCrypt Foundation for as long as two years.
The popular and trusted encryption tool was developed and maintained by anonymous coders. It has been used by many security-conscious people for more than 10 years. It works by encrypting the contents of a hard drive with random data that has no detectable signature, making it extremely difficult to determine what is on the drive or the method used to protect the information that might help criminals crack the encrypted volume.
Johns Hopkins University professor Matthew Green, a skeptic of TrueCrypt who led the crowdsourced funding for a security audit of the software, told KrebsonSecurity.com that he was conflicted about the decision. The first review, released last month, revealed no backdoors. A second review is pending.
“Today’s events notwithstanding, I was starting to have warm and fuzzy feelings about the code, thinking [the developers] were just nice guys who didn’t want their names out there,” Green said. “But now this decision makes me feel like they’re kind of unreliable. Also, I’m a little worried that the fact that we were doing an audit of the crypto might have made them decide to call it quits.”
KrebsonSecurity.com: True Goodbye: ‘Using TrueCrypt Is Not Secure’
Threatpost.com: Ominous warning or hoax? TrueCrypt warns software not secure, development shut down
Washington Post: Is this the end of popular encryption tool TrueCrypt?