The official website for the TrueCrypt software warns the user that the open source encryption
software is no longer secure and informs that the development of the software has been terminated.
At the top of TrueCrypt page on SourceForge displays a text in red colour that states, “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.”
“The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform,” Truecrypt website warned.
WEBSITE HIJACKED ? SUGGESTING TO USE BITLOCKER!
The encryption software abruptly ended its support without providing any explanation from its developers side and recommended Microsoft’s BitLocker as an alternative for Windows users, along with a detailed guide on how to migrate your encrypted data to BitLocker instead.
Now, this sudden security warning and suggesting Microsoft’s Bitlocker as an alternate raise many questions. Many people around the web have assumed that some hacker has compromised the SourceForge account of TrueCrypt, but yet it’s quite unclear whether it’s a defacement of the site or something controversial. Otherwise why the developers of free and open source encryption tool provider would recommend its users to switch on to the most controversial Microsoft’s Bitlocker drive encryption tool.
It could be possible that the developers of the TrueCrypt may be aware of some critical vulnerability or backdoor that according to them would imperil the integrity of the reputed software, which has been downloaded more than 28 million times. Some other possibilities could be:
- Government or Intelligence Agency forced the developers to include a backdoor for them, but they refused and shut it down like Lavabit encrypted email service.
- Someone hijacked the website and Crypto keys to raise false alarms.
Matthew Green, who is a professor specializing in cryptography at Johns Hopkins University and also involved with the TrueCrypt audit, tweeted that he believes that the announcement is a legitimate exit on the part of the developer, and not a hack.
Significantly, the current version listed on the SourceForge page, version 7.2, was signed yesterday with the official TrueCrypt private signing key, the same key used by the TrueCrypt Foundation for as long as two years. This means the warning on the official homepage of TrueCrypt isn’t a hoax posted by some hacker or cyber criminal.
TrueCrypt had recently just cleared its first stage of a security audit
that focused on the TrueCrypt bootloader and Windows kernel driver; architecture and its code review. The security community has took this initiative to perform a public Security Audit of TrueCrypt in response to the Edward Snowden’s disclosures and concerns that National Security Agency (NSA)
may have tampered with it.
The second phase of audit has to begun, which includes a thorough analysis of the various encryption cipher suites and implementation of random number generators and critical key algorithms.
Is it the end of popular encryption tool?
Whatever be the reason behind the sudden shut-down of the most popular encryption service, but if the warning is legitimate, it might be time for the users to migrate their encrypted files to another encryption tool like DiskCryptor