The unanswered question is why TrueCrypt was abandoned. The only version of TrueCrypt that is available for download on the site, version 7.2, is only good for decrypting existing data to carry out the migration process. The site provides instructions for migrating to BitLocker. The top of TrueCrypt’s website was emblazoned with the following message in red: “WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues.” It also said development of TrueCrypt had ended after Microsoft terminated support for Windows XP and recommended that users of Windows 8, 7 and Vista migrate to Microsoft’s BitLocker disk encryption utility. With TrueCrypt’s future now uncertain, it may be prudent to consider transitioning to other software in the medium-to-long term.ĬPJ will continue to monitor this situation and will provide additional guidance as developments occur.Įditor’s note: This post, originally titled “Journalists can safely use TrueCrypt, for now,” was updated on July 7, 2014, to reflect CPJ’s increased confidence that the recent events are a result of the TrueCrypt developers’ decision to discontinue work on the project, rather than the discovery of a new vulnerability.The anonymous developers of the free and hugely popular TrueCrypt disk encryption program dropped a bombshell at the end of May when they abruptly abandoned the project. Given the importance of strong encryption to protecting one’s sources, it is crucial that journalists use–and be able to trust–the best tools available to them. Because TrueCrypt is open-source, it is possible that a new team may continue developing the program in the future, possibly under a new name.īut watchfulness is advised. Journalists should be cautious about downloading TrueCrypt elsewhere, as the current uncertainty about the program could be exploited by individuals or organizations seeking to distribute maliciously modified versions of the software.Īlthough much uncertainty remains about the future of TrueCrypt, journalists should not consign their existing installations to their computers’ recycling bins just yet. To CPJ’s knowledge the fingerprint of TrueCrypt’s GPG code-signing certificate is:Ĭ5F4 BAC4 A7B2 2DB8 B8F8 5538 E3BA 73CA F0D6 B1E0 Be sure to verify the authenticity of a download’s digital signature before use. All versions of TrueCrypt have been digitally signed, and those signatures are available in the archive. CPJ recommends using the TrueCrypt archive maintained by Jurre van Bergen and Stefan Sundin. The main TrueCrypt website no longer provides TrueCrypt 7.1 or 7.1a for download. CPJ recommends against downloading or installing the 7.2 version of TrueCrypt, as that version has limited functionality. TrueCrypt 7.1 is the version currently undergoing the audit, which is being organized by the Open Crypto Audit project. Journalists are as safe using TrueCrypt today as they were last week, and will be next week.Įxisting users of TrueCrypt 7.1 or 7.1a can and should continue to use those versions. In fact, the results of a multi-part audit to which TrueCrypt is being subjected have thus far been largely positive. There remains no new evidence of a novel vulnerability in TrueCrypt. The developers’ reasons for this remain the subject of speculation, and given their carefully-guarded anonymity and reluctance to discuss their work, we are unlikely to ever know their reasons for sure. With additional evidence released in the following weeks, CPJ is increasingly confident of its initial assessment that the TrueCrypt development team simply decided to discontinue development of the software, albeit in a particularly dramatic fashion. Given recent news about critical technical vulnerabilities in other security software, this unexpected posting prompted widespread concern about the status of the open-source project and the security of TrueCrypt software.ĬPJ initially concluded that despite the announcement, there was no apparent cause for alarm. Six weeks ago, technologist and journalist Runa Sandvik reported in Forbes about a worrying notice on TrueCrypt’s website: a warning that the software is “not secure,” with instructions to replace it. There is no evidence of any new or dangerous vulnerability in TrueCrypt, despite a recent scare over its integrity. Journalists who use the popular encryption tool TrueCrypt can relax.
0 Comments
Leave a Reply. |