“TrueCrypt is not secure,” official SourceForge page abruptly warns | Ars Technica

One of the official webpages for the widely used TrueCrypt encryption program says that development has abruptly ended and warns users of the decade-old tool that it isn't safe to use.

"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues," text in red at the top of TrueCrypt page on SourceForge states. The page continues: "This page exists only to help migrate existing data encrypted by TrueCrypt. The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform."

The advisory, which Ars couldn't immediately confirm was authentic, touched off a tsunami of comments on Twitter and other social media sites. For more than a decade, the open source and freely available TrueCrypt has been the program of choice of many security-minded people for encrypting sensitive files and even entire hard drives. Last year, amid revelations that the NSA can decode large swaths of the Internet's encrypted data, supporters ponied up large sums of money to audit TrueCrypt. Results from phase one of the audit released last month revealed no evidence of any backdoors. Additional audits were pending.

Matthew Green, a professor specializing in cryptography at Johns Hopkins University and one of the people who spearheaded the TrueCrypt audit, told Ars he had no advance notice of the announcement. He said the announcement appears to be authentic, an observation he repeated on Twitter. He told Ars he has privately contacted the largely secretive TrueCrypt developers in an attempt to confirm the site or get more more details.

The SourceForge page, which was delivered to people trying to view truecrypt.org pages, contained a new version of the program that, according to this "diff" analysis, appears to contain changes warning that the program isn't safe to use. Curiously, the new release also appeared to let users decrypt encrypted data but not create new volumes.

Significantly, TrueCrypt version 7.2 was certified with the official TrueCrypt private signing key, suggesting that the page warning that TrueCrypt isn't safe wasn't a hoax posted by hackers who managed to gain unauthorized access. After all, someone with the ability to sign new TrueCrypt releases probably wouldn't squander that hack with a prank. Alternatively, the post suggests that the cryptographic key that certifies the authenticity of the app has been compromised and is no longer in the exclusive control of the official TrueCrypt developers.

In either case, it's a good idea for TrueCrypt users to pay attention and realize that it may be necessary to move to a new crypto app. Ars will continue to cover this unfolding story as more information becomes available.

http://arstechnica.com/security/2014/05/truecrypt-is-not-secure-official-sourceforge-page-abruptly-warns/