Warning: TrueCrypt No Longer Stable
Users of the widely-used TrueCrypt data encryption program may be forced to search for alternative software.
As of May 29, the official TrueCrypt page is alerting visitors that “using TrueCrypt is not secure as it may contain unfixed security issues.” The statement, listed in large, red letters atop the homepage, does not provide any additional details about the state of the program, and the secretive nature of the software's owners is causing some users to speculate about whether or not the message is the result of a hack.
To determine the factuality of the alert, Ars Technica has delved into the inner workings of how posts are made to the TrueCrypt SourceForge site. Although the Ars author, Dan Goodin, comments that his organization could not determine if the post is authentic, he repeats the comments of an official TrueCrypt auditor, Matthew Green, who said in his Twitter account, “I think this is legit.”
Green helped lead a TrueCrypt audit that had its results released in April. As a result of recent financial support for the program – following revelations about the NSA's capability to decode secure Internet traffic – additional audits were scheduled to take place.
Additionally, Goodin points to a “diff” analysis posted at Alchemist Owl that displays changes between the two most recent versions of the software and shows that it may no longer be stable.
Despite this analysis, users are speculating that the post may be a fake. One such reason for their criticism is that the official site recommends that Windows users switch to Bitlocker to secure their data. The site urges Mac and Linux users to take advantage of their respective system tools for any future encryption. The site admins appear to be willingly sending people away from their own software without rhyme or reason. That said, if the warning is legitimate, it appears that the TrueCrypt team is leading users toward better, safer encryption solutions for at least the time being.
The vague message on the site does not appear to be helping their claim that things are unsafe. However, usually it is not in the interest of security-minded individuals to ignore bold, red letters. Any users out there best look into alternatives at their earliest convenience.
Image courtesy of CarbonNYC via Flickr