Security Audit Of TrueCrypt Doesn't Find Any Backdoors -- But What Will Happen To TrueCrypt?by Mike MasnickTechdirt Apr. 04, 2015 |
Israel 'Admits It May Not Be Able to Destroy Hamas,' Blames America
Texas Gov. Greg Abbott Signs Executive Order to Punish 'Antisemitic Rhetoric' on College Campuses
Israeli Lawyer Who Pushed 'Hamas Mass Rapes' Hoax Accused of Scamming Donors
All-Indian Crew On Ship That Crashed Into Baltimore's Francis Scott Key Bridge
RFK Jr Names Nicole Shanahan as VP Pick
Over the past few years we've followed the saga of TrueCrypt. The popular and widely used full disk encryption system got some attention soon after the initial Snowden leaks when people started realizing that no one really knew who was behind TrueCrypt, and that the software had not been fully audited. Cryptographer Matthew Green decided to lead an effort to audit TrueCrypt. A year ago, the team released the first phase, finding a few small vulnerabilities, but no backdoors and nothing too serious. This week the full audit was completed and again finds no evidence of any backdoors planted in the code. Matthew Green's blog post on the report provides the key details, which notes a few small issues that should be fixed, but nothing too serious: The TL;DR is that based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.However, as Green notes, the problem with the way its implemented in TrueCrypt would only be a problem in "extremely" rare circumstances that wouldn't impact most users. But it's still something that could be fixed. But that's where the problem lies. As you may recall, in the midst of all of this, the still anonymous developers behind TrueCrypt suddenly announced that it wasn't secure and that all development had ceased. There have been some efforts to fork and rescue TrueCrypt, but that's come with some skepticism as people feared what might be hidden in the code (and also some concerns about the TrueCrypt license. Hopefully this new audit puts at least some of those concerns to rest (though it's always good to be paranoid when building security software) and people do really put an effort developing an updated version of TrueCrypt. For what it's worth, I've seen a bunch of articles claiming the audit shows that TrueCrypt is safe. That's not quite true. It's just saying they didn't find anything -- which should be very re-assuring, but you can never say with 100% certainty that the code is safe. Either way, what's needed now is more development moving forward. |