A popular open-source encryption program often used to secure desktop bitcoin wallets is compromised, according to its developers.
The program, TrueCrypt, was deemed “not secure” due to “unfixed security issues” according to a notice on its SourceForge page that appeared on 28th May. Users who attempted to access the program’s website, truecrypt.org, were redirected to the SourceForge page.
The appearance of the mysterious notice followed the announcement that development on TrueCrypt ended this month after Microsoft stopped supporting Windows XP. The TrueCrypt website now contains instructions for migrating data from TrueCrypt to BitLocker, a similar program developed by Microsoft.
Users have pointed out that BitLocker is only available on Windows 8.1 Pro and Windows 8.1 Enterprise, whereas TrueCrypt was available on multiple Windows versions, Linux, Android and Apple’s OS X.
Community reactions
The bitcoin and privacy communities were rife with speculation about what caused TrueCrypt’s developers – who have remained anonymous since the program was first released 10 years ago – to put up the warning.
Theories floated on reddit, for example, range from a backdoor being discovered in the program to misfortune befalling the developers.
Deepening the mystery is the fact that a new version of TrueCrypt is now available for download on the website.
Snowden tool
An initial analysis by a member of the Open Crypto Audit Project’s technical advisory board, Runa Sandvik, concluded that although the new version seemed free of malicious behaviour, it can only be used to decrypt data and migrate existing encrypted data – not to create encrypt new data.
The Open Crypto Audit Project is an open source attempt to check TrueCrypt’s code to ensure that it is free of backdoors. The effort was initiated in 2013 and it has yielded the first phase of a multi-part review. This report, released last month, could find no such flaws.
TrueCrypt has been used by Edward Snowden, who even hosted a ‘CryptoParty‘ in Hawaii, where he recommended using the program to keep information private, shortly before he appeared in Hong Kong with his cache of secret NSA documents.
Alternatives to TrueCrypt include FileVault for OS X, developed by Apple, and Jetico BestCrypt for OS X, Linux and Windows, which is recommended by the bitcoin Wiki alongside TrueCrypt.
Encryption image via Shutterstock