TrueCrypt's Web Site Updates with Ominous Warning, Details Unknown
TrueCrypt, one of our favorite file encryption tools, has abruptly changed its homepage to a warning that the tool may not secure, and a detailed guide on how to migrate your encrypted data to BitLocker instead.
The update appeared earlier today, and while we haven't been able to confirm that it's authentic, it has set off a storm in security circles, on Hacker News, and over at Ars Technica. Even though the encryption tool hasn't seen a major uplift in ages, TrueCrypt had recently just passed the first stage of a comprehensive security audit without issue. The sudden warning came as a surprise—one that a number of commenters around the web have assumed must be the work of a compromised SourceForge account or a rogue site admin. If the warning is legitimate, it might be time to migrate your encrypted files to another service or tool.
Either way, do not download the version of TrueCrypt listed on the site right now. It was compiled yesterday, according to security researcher Runa Sadvik, using a questionable DSA key. It may be compromised along with the TrueCrypt Sourceforge page.
Update: Matthew Green, one of the security researchers involved with the TrueCrypt audit, notes that while he had no prior knowledge of the abrupt change, he believes that the announcement is legitimate.
Similarly, the posted version of TrueCrypt appears to be heavily modified, with critical features removed and a heavy dose of "INSECURE_APP" sprinkled through the code. Even so, it was certified with the official TrueCrypt signing key, which leads us to believe this might be the real thing. Ars Technica notes:
The SourceForge page, which was delivered to people trying to view truecrypt.org pages, contained a new version of the program that, according to this "diff" analysis, appears to contain changes warning that the program isn't safe to use. Significantly,TrueCrypt version 7.2 was certified with the official TrueCrypt private signing key, suggesting that the page warning that TrueCrypt isn't safe wasn't a hoax posted by hackers who managed to gain unauthorized access. After all, someone with the ability to sign new TrueCrypt releases probably wouldn't squander that hack with a prank. Alternatively, the post suggests that the cryptographic key that certifies the authenticity of the app has been compromised and is no longer in the exclusive control of the official TrueCrypt developers.
As more information comes to light, we'll update this post with additional details.
No comments:
Post a Comment