The end of support by Microsoft for XP has apparently spelled the end for TrueCrypt, as users have been delivered messages warning that it is “not secure as it may contain unfixed security issues”.
The homepage for the encryption programme is now redirecting to a web-based source code repository with the warning in red text, and stating that “this page exists only to help migrate existing data encrypted by TrueCrypt”.
It also states: “The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.”
The website offers advice on migration with the final warning “Using TrueCrypt is not secure” and “You should download TrueCrypt only if you are migrating data encrypted by TrueCrypt”.
Matthew Green, cryptographer and research professor at Johns Hopkins University, who helped launch the TrueCryptaudit last month, said on Twitter that he had “no idea what’s up with the Truecrypt site, or what ‘security issues’ they’re talking about”.
He said that he had not heard from anyone within TrueCrypt, and doubted that it was likely that an unknown hacker either identified the Truecrypt devs, stole their signing key or hacked their site. “Unlikely is not the same as impossible. So it’s *possible* that this whole thing is a hoax. I just doubt it,” he said. “But more to the point, if the Truecrypt signing key was stolen and the TrueCrypt developers can’t let us know — that’s reason enough to be cautious.”
Steve Gibson, of Gibson Research, said on his blog that given the scant evidence, he thought it was much more likely that the TrueCrypt team legitimately created an updated Windows executable and other files which would imply that they also took down their long-running TrueCrypt site.
“Which, of course, leaves us asking why? We don’t know because we don’t know anything about them or their motives. They might be in Russia or China where Windows XP is still a big deal (with a more than 50 per cent share) and personally annoyed with Microsoft for cutting off support for Windows XP. Or anything else,” he said.
Writing for Forbes, Runa Sandvik said that in 2013, Green and Kenneth White started the Open Crypto Audit Project and crowdsourced funding to ensure that TrueCrypt could be reviewed. “Despite being ten years old, and built by a group of anonymous developers, the software had never received a complete review until earlier this year,” Sandvik said. “Results from phase one of the review released last month revealed no evidence of any backdoors. A second review is still pending.”
Brendan Rizzo, technical director at Voltage Security, said: “TrueCrypt has long been seen by its users as a good open source technical option for encrypting data – especially for personal use. The apparent move by the TrueCrypt team to completely abandon the project without any warning highlights a very real risk companies face when choosing solutions to meet their requirements: even if TrueCrypt was found to still be technically sound, a technical solution alone is not enough.”
Amichai Shulman, CTO at Imperva, said: “There is a place for a disk encryption solution independent of operating system type and operating system provider in general. Whether TrueCrypt is the right solution, given the anonymous nature of its developers, I’m not sure. Whether this is a trend for other businesses? I don’t think so. TrueCrypt was never a “business”. Most businesses should have moved on from XP software a long time ago.”