Many users of a popular open source encryption program called TrueCrypt have begun seeking for new and more trustworthy software. On Wednesday, the download page was changed to a combination of words users fear most. The ominous and unexpected message informed users that TrueCrypt is not secure and may contain unfixed security issues. Further on, the message also read that the download page exists only to help users migrate existing encrypted data.
Users were provided with instructions on how to successfully move their data to Bitlocker, a well-known Microsoft encryption program. A notice on the company also announces that the development of TrueCrypt was ended as Microsoft terminated support for Windows XP, all later Windows operating systems offer integrated support for virtual and encrypted disks.
While an updated version of the program was recently released, it contains the same warning and many of the key features are disabled. Some of the features that were disabled include the encryption feature, while decryption of files is still possible. It is not recommended that users use this program, as it was signed with the same encryption key as previous releases. This means that users of TrueCrypt must seek out new software that will be more secure.
It is still unknown what caused the shutdown, however there are many rumors. Some of the scenarios include a takeover of TrueCrypt assets or a possible exit strategy for the anonymous and mysterious team of developers. There is no ideal scenario in this situation, as the software was popular and trusted. It was available on a wide range of platforms and had many users. One of the famous users of TrueCrypt is Edward Snowden, a former National Security Agency contractor and whistleblower.
TrueCrypt was an open source project created entirely by volunteers. Although the group did receive donations, it is unclear both how many donations were received and the reason for the possible walk-out.
TrueCrypt Audit Project was started by Matthew Green, who is an associate professor of computer science at Johns Hopkins University. Green and other privacy researchers had wanted to take study the security of the tool due to its widespread use. The first phase of the audit was released in April, and the results were promising with few minor issues. At the time, the whole project was still well under way.
Green believes that due to the way TrueCrypt has ended raises issues about the dependency of users on volunteer projects when it comes to encryption. If in the beginning encryption was just a toy, now it has become something many people heavily rely on.
While the third scenario is a possibility of a hack, then that raises the concern over the security of TrueCrypt. Because the key used to sign the update was very likely to have been kept offline, the hack would have required a physical tacking of the group. Many, however believe that the developers have abandoned the project, which is a worrying sign that they were not as put together as users had expected them to be in order to rely on them in that way.
This comes a month after the Heartbleed bug was found in OpenSSL, used by many sites across the web to secure sensitive and private browsing data. Many major tech companies and websites were left scrambling to update when it was discovered that the bug was capable of leaking data from the servers memory. Now, users of TrueCrypt are in the same position, seeking for new software.
By Ivelina Kunina