Independent encryption software TrueCrypt is apparently not as secure as many thought. The TrueCrypt homepage was suddenly replaced with a notification that read "WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues."
Moreover, it is reported that since May, 2014 TrueCrypt development is stopped. Significantly, the current version listed on the SourceForge page, version 7.2, was signed with the official TrueCrypt private signing key, the same key used by the TrueCrypt Foundation for as long as two years.
This means the warning on the official homepage of TrueCrypt isn't a hoax posted by some hacker or cyber criminal. To fans of the app, which lets users encrypt entire hard drives to ensure security and privacy that rationale makes no sense – and many of them are casting around for other plausible reasons why the app and its development would cease so suddenly.
"The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP," is the explanation given on the software's webpage. "Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms. You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform."
The situation is unclear because the TrueCrypt development team has always remained anonymous. Besides, in April TrueCrypt independent audit of source texts which didn't reveal dangerous problems was complete. Thus the TrueCrypt code isn't free and extends under own TrueCrypt License, containing additional requirements to distribution area and a mention of authorship that makes it not compatible with free licenses and prevents community to continue development through fork creation.
As for new TrueCrypt 7.2 release, differences from 7.1a version are reduced to the project insecurity prevention and to code removal for new encoded sections creation (it is possible to encrypt only the existing TrueCrypt sections).
The license text was also insignificantly changed. Significantly, the current version listed on the SourceForge page, version 7.2, was signed yesterday with the official TrueCrypt private signing key, the same key used by the TrueCrypt Foundation for as long as two years. This means the warning on the official homepage of TrueCrypt isn't a hoax posted by some hacker or cyber criminal. It is improbable that having access to formation signatures key for releases the attackers were capable only of prank with site substitution.
Thus a lot of things in this story are doubtful, for example why redirect of truecrypt.org into truecrypt.sourceforge.net page was needed and why only migration on Microsoft BitLocker was recommended for Windows users. Concrete recommendations aren’t given to Linux users, despite tc-play existence, an alternative free realization of TrueCrypt, extended under the BSD license.
SourceForge representatives said that they hadn’t found any signs of account cracking and abnormal activity, but recent compulsory passwords change was for infrastructure improvement, not for cracking reaction.
Axarhöfði 14,
110 Reykjavik, Iceland