The open source encryption program TrueCrypt was suddenly covered in mystery and confusion yesterday. Visitors to the TrueCypt site were redirected to a page in the open source community site, SourceForge. The page advises users to stop using the product and switch to Microsoft BitLocker instead. A warning at the top of the page says “using TrueCrypt is not secure as is might contain unfixed security issues”. It then follows with “this page exists only to help migrate existing data encrypted by TrueCrypt”
This is a very strange turn of events. The initial reaction was that it has to be a hack, but this looks pretty real to me. The first thing anyone would suspect is that somehow the SourceForge account got hacked. The thing is that in addition to this posting saying that TrueCrypt is no longer secure, it strangely mentions that Windows XP support is being discontinued as of this month. The post inexplicably ties these two events together even though there is no real connection between them. It also posts a final version of the encryption software, namely 7.2. The previous version before the shut down was from 2012 and went by the name 7.1a. So there’s this new one, and it’s been altered so that all it will do is remove TrueCrypt from a system. Essentially aiding people in migrating themselves away from TrueCrypt.
First of all, the Windows signing certificate expired after the previous version was signed. However, the replacement certificate which predated the previous one’s expiration looks absolutely authentic, same certificate authority. Everything looks normal, no one would ever look at it twice. So it appears that this replacement is legit and comes from the people who had access to the previous one. Furthermore, the open source versions for Linux and Mac were updated and signed by the identical pgp signing key. If this was a hack, it was an absolute breach of security, which is kind of a stretch if you thing about it. This is leading those who are looking at the situation to believe that this was actually a take down by the TrueCrypt developers.
The software’s creators are anonymous so we don’t really have any information regarding them. Reports say that the last contact with them indicated that they were happy with all of this. The TrueCrypt devs were heard stating “we are looking forward to results of phase two of your audit. Thank you very much for all your efforts again “. This message was sent to Matthew Green, a security expert and cryptography professor at the John Hopkins University. He organized a TrueCrypt audit and reached out to the devs in the hopes of finding out what happened.
It seems that the people behind TrueCrypt simply decided to end the project without revealing their reasons. Professor Green says that he’s planing to continue with the audit. He also suggests that other independent cryptographers might continue the work of TrueCrypt’s devs, but it might prove to be difficult. Stay tuned for more news and updates.