Something decidedly odd has befallen the hugely popular and iconic TrueCrypt encryption utility used by security-aware users the world over to encrypt data with the plausible certainty that even the NSA geeks with pocket protectors won’t be able to break it.
On Wednesday, seemingly out of the blue, the open source project’s website suddenly started forwarding to a message on SourceForge stating: “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.”
Without specifying the nature of these issues, the message went on to pin the project’s demise on the ending of support for Windows XP, again without explaining why a well-trailed event relating to an obsolete operating system that happened on 8 April would such a dramatic effect on the software.
It's true that the tool offers full disk encryption under XP - the OS lacks such a facility - but it also offers volume encryption under later versions of Windows for anyone (i.e. most FOSS users) who don't trust alternatives. XP's end of life should not have affected this.
Stranger still, users are advised to migrate disk images to Microsoft’s commercial BitLocker software, more or less anathema for mistrustful FOSS users not to mention that it is only installed by default on Windows 8.1 Pro/Enterprise.
Coming only weeks after TrueCrypt was given a clean bill of security health by its first ever independent audit, the announcement was so unexpected and curt many suspected that the site has been hacked by a prankster.
Even though it appears that the latest version of the software, TrueCrypt 7.2, was signed with the correct developer key, many in the security community remain sceptical. TrueCrypt’s developers are a shy bunch but killing the tool insecure without much explanation is not the accepted MO.
Either way, encryption is a type of software that is painfully susceptible to appearances and the appearance being created here is not good. With conspiracy theories multiplying, most users will stop using the software until a better option becomes apparent.
If the message turns out to be genuine it will be a sad end for a program that famously defied the FBI in 2008 after they were called in to assist with a Brazilian police investigation.
Remember, barely five weeks ago the audit on behalf of the Open Crypto Audit Project (OCAP) found only minor issues with a tool that has become the one certainty in the data paranoiac’s security toolchest.
“I think it unlikely that an unknown hacker (a) identified the Truecrypt devs, (b) stole their signing key, (c) hacked their site,” commented Mathew Green, a research professor involved with the OCAP initiative, on Twitter.
That being the case, users are now living in the post-TrueCrypt era and need to comes to terms with that as soon as possible.
What can be said is that if the message on TrueCrypt.org is genuine it’s almost a case study in how not to being to a close the ten-year history of one of the most important independent security tools still in existence.