TrueCrypt, the most popular free and open source encryption software, has abruptly changed its homepage to display a message saying that the software is not secure and suggesting that existing users should migrate to Bitlocker:
As you can imagine, the net is abuzz with news of this strange message. Some are saying that, because it was so sudden, the website must have been hacked. The consensus among most security experts however, is that the new page and its message are genuine. If that is indeed the case, then it’s probably safe to assume that TrueCrypt has been compromised in some way.
At the moment there are more questions than answers – Is it hackers? Is the NSA involved? Has the audit team found something sinister? – It’s all speculation though and no-one really knows what’s going on for sure. It doesn’t help that the developers are a secretive and anonymous bunch either.
It does seem kind of strange for open source connections to be promoting something as closed source as Bitlocker though, especially when Microsoft’s encryption tool is not available on basic Windows versions, including the popular and widespread Home editions.
Matthew Green, one of the security researchers involved with the TrueCrypt audit, has Tweeted that he believes the announcement is legitimate. So it would appear unlikely that a sinister audit finding is at the core.
A new version of the software, which was released simultaneously with the announcement, no longer supports encryption, but simply allows users to decrypt. Most security experts are labeling this latest version ‘suspicious’ and advising users NOT to download it.
Software developer Jonathan Zdziarski, who worked as a cryptographer on the TrueCrypt project Tweeted a warning against using the new version – or any recent version, for that matter… “If TrueCrypt.org is compromised, it’s likely been compromised a good while. I wouldn’t trust any recent downloads of the software.”
It makes for a difficult situation when the reality is so obscure, and until more reliable information comes to hand, the rumors and speculation will remain just that.