Today, something odd happened.
The official website for the Trucrypt cross-platform open source encryption program was forwarded to a warning that due to Windows XP being sunsetted, Truecrypt is no longer being maintained, is unsafe to use, and that users should switch to Microsoft’s Bitlocker instead. Additionally, the program was “updated”, such that it only decrypts data, and warns you every step of the way that it’s unsafe to use.
This has caused a minor panic across the Internet. Obviously something strange has happened to Truecrypt and its developers. Was the software really unsafe? Was their website compromised? Is this a hoax or the doing of a three-letter agency?
I’d like to offer some analysis and my possible theories.
So what happened?
Update 30 May: Security researcher Steve Gibson claims to have emails from the original Truecrypt developers saying that they’ve decided to no longer work on the project, for no particular reason other than that the project has run its course. The dire warnings in regards to Truecrypt’s security are purportedly only to remind users that should any vulnerabilities be discovered, the original team won’t fix them.
Truecrypt’s website, truecrypt.org, is normally a place to download Truecrypt binaries, source code, PGP keys, and view documentation and best practices. As of 28 May, it immediately forwards to a SourceForge page warning users that Truecrypt development has stopped, may contain unfixed security issues, and gives instructions on how to, on Windows, migrate a Truecrypt volume to Mirosoft’s Bitlocker.
It also offers a new version of Truecrypt, which only exists to decrypt volumes for the purpose of migrating them to other encryption suites. A comparison between the two versions of source code shows that most if not all of the changes either disable an encryption function, or give the user a warning not to use the software. It’s not immediately apparent that these changes either introduce or activate a backdoor in the software.
Why it looks fishy
- The End-of-Life of Windows XP is not a good reason to discontinue development of software that targets it, among other operating systems
- Windows XP, despite being no longer support by Microsoft, is still used by 26% of Internet users, according to Netmarketshare.
- Truecrypt now recommends Bitlocker, which is only available on Windows 7 Professional and up, and Windows 8 Pro. Most people don’t have access to it, so it’s not an option for them.
- Truecrypt serves more than one OS. In fact, a big draw to it over Bitlocker or LUKS is that created volumes are usable across platforms
- Instead of fixing a security vulnerability (See blow for reasons not to, though), just cut the software? That’s a tad irresponsible!
- Plenty of unmaintained software is still in use today, even after years of neglect. And why not let the community take over?
Lavabit. All over again. – After it received an order to turn over SSL keys to the US government, email provider Lavabit decided to discontinue services and shut down. Lavabit’s owners essentially sacrificed their service to protect the privacy of its users. The same thing may have happened to Truecrypt. Under pressure to add some sort of backdoor to the software, the developers decided to get ahead of the curve by shouting far and wide that the software is unsafe, in a way that doesn’t violate any gag order they may be under.
Three-letter agency. – The suggestion to move to Microsoft’s Bitlocker is of particular interest. Bitlocker has been attacked by the security community for a multitude of reasons. It’s closed source software, there’s no way to see what’s going on behind the scenes, and Microsoft has a history of voluntarily cooperating with the NSA in regards to their Outlook, SkyDirve, and Skype products. It’s hard to put faith in Bitlocker. If Bitlocker does indeed contain a backdoor, or is vulnerable to third-parties, suddenly there’s a motivation to strongarm Truecrypt’s developers into recommending it.
Actual vunlerability. – It’s entirely possible that the previously-current version of Truecrypt contained a very serious vulnerability. The immediate reaction is to patch it, but Truecrypt didn’t contain any sort of auto-updater or a function to phone home to check for new versions. Joe Everyman who doesn’t follow the security scene wouldn’t have any warning to update his software to a newer version. Since Truecrypt is open source, patching a vulnerability gives some pretty big pointers as to what it was, and how it could have been exploited. The practical upshot of this is that is a vulnerability is bad enough, it may have made more sense to scare users into fleeing from Truecrypt and shredding their volumes, before they can be compromised.
However, it’s very important to point out that a crowdfunded audit of Truecrypt was performed by iSec, the results have been published, and no serious vulnerabilities were found. Any huge, glaring problem with Truecrypt itself would have been revealed in this audit. What wasn’t checked, however, is the actual cryptography that Truecrypt uses, but it’s also important to point out that the algorithms that Truecrypt uses are used in many other programs and protocols, including SSL.
Pranks and hoaxes. – We already know what can happen with with a phone call to a registrar. The Truecrypt website is used to serve the binary and the PGP key that signs it. I’m willing to bet it was very well secured from attack. All an attacker would need to do is social engineer the registrar of record for truecrypt.org into giving him access, and then use that as a jumping point to reset the password for the Sourceforge and Github accounts, and he has a platform to pull off a pretty scary prank.
As of this post, Truecrypt.org has IP address 18.104.22.168, which serves a 301 redirect to the Sourceforge page. This theory could still be valid if an attacker did compromise the server, the question just becomes why not deface that server directly? It would be helpful if somebody could grab a “history” of IPs for that domain.
Update: According to Netcraft, the IP address for truecrypt.org last changed in 2009. Additionally, it’s been enough time since the change that a compromise of the server is very unlikely. Thanks to Clarke in the comments for the link!
Sabu did it. – trmj on Slashdot (jokingly) suggests that Hector “Sabu” Monsegur no longer has any obligation to keep Truecrypt going (assuming he’s behind it), and so he took down a tool the FBI is supposedly using to lull users into a false sense of security. Again, this theory was designed to be a joke.
Engineer Apathy – The Truecrypt project has been ongoing for some time. The developers may have made an executive decision to discontinue support for the product. In theory, this means that any security vulnerabilities found in the software would go unfixed, making it unsafe. If this is the case, though, it’s a bit… rude… to just abruptly say the software’s full of holes and you should switch to something else. Any project that’s been discontinued in the past has had some letter from the developers explaining the circumstances behind the discontinuation. We obviously haven’t seen any such letter from the Truecrypt developers, but security researcher Steve Gibson has given us a rendition of what such a letter might look like.
Finally, rgaloppini on Y Combinator is claiming to have some information from Sourceforge, but it’s most likely fake. Sourceforge probably wouldn’t give out information like that, and the recent buzz surrounding Truecrypt would more than certainly cause a noticeable spike in traffic. Added to that, now everybody who visits what used to be a separate site now leads to the Sourceforge page; it didn’t used to do that.
Is it safe to use Truecrypt?
The current version of Truecrypt is functionally useless. However, I had Linux 64 bit and Windows binaries of Truecrypt 7.1a (the last “good” version) lying around, which I’ve uploaded to this site. Other versions and PGP signatures for them are available at this Github repo.
Depending on why this happened, it’s unclear whether or not the old version of Truecrypt is safe to use, or if it’s vulnerable. What I can tell you is that this version’s source code has been vetted by a third-party security firm, and that other research has shown that this source code does reliably compile to the same binary that truecrypt.org was handing out.
Whether you should use Truecrypt at this point largely becomes a question of what you’re using it for. If you’re trying to keep your personal information out of the hands of potential thieves, it’s more than enough. If you’re trying to keep your information away from a nosy roommate, it’s more than enough. If you’re trying to hide secrets from a police state, encryption probably won’t help you anyway.
Barring a successful attack in AES, Truecrypt 7.1a is probably safe. Probably.
Have any additional theories? Any alternatives to Truecrypt we should try? Shout out in the comments!