Sometimes, when difficulties arise in an open-source project, the effort is forked, but in other cases, projects just shut down. For the open-source TrueCrypt disk-encryption project, the latter is now true as the project is shutting down and users are being warned that the technology is no longer secure.
The TrueCrypt project is hosted on the SourceForge open-source code repository, which posted an ominous warning May 28:”Using TrueCrypt is not secure as it may contain unfixed security issues.”
The project is now recommending that users migrate away from TrueCrypt to other disk-encryption technologies.
Frankly, I’m not too surprised. TrueCrypt was recently audited in a report by iSec Partners, and although the report did not find any obvious large security issues, it wasn’t exactly favorable, either.
“Overall, the source code for both the bootloader and the Windows kernel driver did not meet expected standards for secure code,” the iSec Partners report on TrueCrypt states. “This includes issues such as lack of comments, use of insecure or deprecated functions, inconsistent variable types and so forth.”
The iSec report goes on to note that there was no evidence of backdoors or otherwise intentionally malicious code in the assessed areas. However, the audit did find some vulnerabilities that, according to iSec, “all appear to be unintentional, introduced as the result of bugs rather than malice.”
The other challenge facing TrueCrypt is the simple fact that there are many other disk-encryption technologies now available. On Microsoft’s Windows operating system in particular, which was a key target platform for TrueCrypt, versions of Windows after Windows XP include support for Bitlocker, which performs a similar function. In addition, there are multiple file-encryption technologies available, including, FileVault for Mac, DiskCryptor for Windows and Luks for Linux.
The decision to end an open-source project is not uncommon, but declaring a project to be insecure, as is the case with TrueCrypt, is a cause for concern. No doubt, many thousands of users were caught off-guard by the project shutting down and the security warning message.
Rather than attempting to plug holes, TrueCrypt’s developers have chosen to throw in the towel. Thankfully, there are alternative choices for full-disk encryption, and there is a path forward for TrueCrypt users to secure themselves.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.