TrueCrypt Travails Continue
Two serious bugs later, almost no one thinks it is a good idea to use TrueCrypt. But what are your options?
The credibility of the TrueCrypt encryption application is in tatters following the discovery of two serious flaws in the code.
Its anonymous developers abandoned the open source TrueCrypt project in May 2014, and since then no updates to the code have been released. At the time the developers advised users to switch to an alternative encryption program such as Microsoft's BitLocker. Although TrueCrypt is still available for download, the developers suggest it should only be used to migrate data off TrueCrypt encrypted drives.
A security audit of TrueCrypt by security firm iSec Research Lab identified numerous code quality issues but failed to find any serious flaws in the encryption system. Conspiracy theories notwithstanding, the audit, which was completed in April, identified no deliberate "back doors" that would enable government agencies or anyone else to decrypt data that had been encrypted with the program.
Critical TrueCrypt Flaws
The two new flaws, identified by James Forshaw, a security researcher on Google's Project Zero bug hunting team, were not spotted in iSec's security audit and are not directly related to TrueCrypt's implementation of cryptography.
"iSec phase 1 audit reviewed this specific code but Windows drivers are complex beasts - easy to miss local eop (elevation of privilege)," Forshaw commented in a tweet.
The discovery of these two bugs in code that had been audited by a reputable security company emphasizes the fact that finding bugs can be extremely hard: A security audit cannot guarantee that a piece of code is free of flaws.
Run, Don't Walk, from TrueCrypt
At the time TrueCrypt was discontinued Gartner security analyst Mario de Boer believed it was feasible to continue using the application, despite its website publishing a warning against doing so.
"At this moment (I have not seen the results of the cryptographic code review) there is no reason to assume there is a major security issue," de Boer said at the time. "I also assume that if the audit reveals a flaw, it will be solvable and someone will fix it."
One year on and de Boer's advice is now unequivocally to abandon the software if you are still using it. "One of the first books on software security I read (Writing Secure Code by Howard and LeBlanc) proposed a bumper sticker text: 'Software never dies: it just becomes insecure.' That is what is happening to TrueCrypt. People should move away from any unsupported software, including TrueCrypt," he said.
This begs the question of which encryption application you should move to. While there are plenty of proprietary applications (such as BitLocker) to choose from, you may not be comfortable using any product for which the source code is not readily available for inspection.
Some users fear that proprietary software vendors might place back door into their code. Others believe open source is inherently more secure due to the idea that "given enough eyeballs, all bugs are shallow."
(Though it's worth noting that just because an application is open source doesn't mean that all bugs will be spotted, or that they are more likely to be spotted than during a security audit.)
Another option is to use a TrueCrypt replacement written from scratch, but the problem with this is that to date no one has produced anything that can be considered ready for production use.
That's unlikely to happen any time soon, de Boer warns. "Writing an alternative would require deep understanding of software development and cryptography - a very, very rare combination," he said. "Part of the source code of TrueCrypt (E4M) predates TrueCrypt and is almost two decades old. It would require a major effort to write a similar application completely from scratch."
TrueCrypt Alternatives: VeraCrypt and CipherShed
VeraCrypt is a 2013 fork of the TrueCrypt code which is maintained and updated by Mounir Idrassi, an IT security consultant based in France. Idrassi has already fixed the two Project Zero bugs, as well as several memory-related bugs, including buffer overruns, and vulnerabilities which were uncovered by the iSec audit.
August 20, 2015
Mark Cartwright, group program manager at Microsoft, discusses the intersection between the Security Development Lifecycle and open source software.