“Audit all the things!” or “Is TrueCrypt audited yet?”

What is the first thing you are thinking off, when it comes to disk encryption/pen drive encryption? Most people will most likely answer this question with "TrueCrypt". TrueCrypt is a great product. It's Open-Source and free. It has a great feature set, is well-known in the industry and is available on Linux, MacOS X and Windows.

But there are some concerns that came up due to the latest events. As Matthew Green writes today in a blog post, the main concerns are:

  • anonymity: Nobody actually knows who has written TrueCrypt. This doesn't mean, that TC is not trustworthy- there might be good reasons for the author(s) to stay anonymous. Though it would be good to know the author(s).
  • Binary trustworthiness: TC does funky things compared to the Linux version. See page 13 of this documentation. Here it is said, that from the source, one can rule out that this is a backdoor but as there is no proof that the binaries are really compiled from the published source, there is no 100% guarantee that there might be a backdoor in the Windows binary. MDG points out, that even if the source of TC is totally fine, most people still use the TC binaries. So there is no real trust given for most TC users and this needs to change.
  • License issues: The license of the latest version of TC (version 3.0) has not been completely reviewed from a legal standpoint and therefore TC is not included in most free operating system distributions (like Debian, Ubuntu, Redhat, Fedora or CentOS).

To solve these issues, Matthew Green and Kenn White started a project to audit TrueCrypt. They set up a project page with the goals and the current status, as well as a fundraising page. I think this is a great idea and it's worth supporting and spreading the word. Not only as I personally use TC very often in my daily business, but also because, if this project is a success, it might be initiated for other pieces of software as well.

And as we are already talking about trustworthiness and auditing of all the things... I also want to mention this page by THC: https://wiki.thc.org/ssl. SSL/TLS is used to secure your (online) banking, shopping, mails, social networks, instant messaging and other things. People feel safe, when they see the little lock-symbol in their browser bar, but there are concerns with SSL/TLS and this page provides good information about these concerns. It also provides some ideas on how to mitigate those concerns. People should read this stuff, as it is their privacy that is at risk.

, , , , , , , ,

No comments yet.

Leave a Reply