The unexpected notice saying TrueCrypt isn’t safe, which has apparently been posted last week by the developers of the software, took the security community by surprise and had opened the door for a lot of speculations.
“WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues,” said the notice on the project’s SourceForge page:
The developers offered an alternative – BitLocker – and explained how to migrate data encrypted by TrueCrypt to it, but they left users wondering about the real reason they abandoned the project.
It is, of course, possible that they simply tired of carrying the project, but in the light of Snowden’s disclosures, and the government going after Lavabit the way they did, a lot of people are convinced that the US government has served a National Security Letter to the developers, ordering them equip the software code with a vulnerability only known to the authorities or to share their knowledge about ways to break the software’s protection, and prohibiting them to talk about it to the public.
Matthew Green, cryptographer and research professor at Johns Hopkins University, and one of the leaders of the Open Crypto Audit Project (OCAP) effecting a public security audit of TrueCrypt, has tried to contact the developers, but has had no luck.
He said that he had no idea what happened, and that the last time he heard form them was after they published the satisfactory results of the first phase of the audit project, when they said that they are looking forward to the results of phase two.
Phase two will go on as planned, the OCAP confirmed on Twitter.
“We have conferred and we are firmly going forward on schedule with the audit regardless of yesterday’s circumstances,” Kenn White, audit organizer told Ars Technica. “We don’t want there to remain all sorts of questions or scenarios or what ifs in people’s minds. TrueCrypt has been around for 10 years and it’s never received a proper formal security analysis. People are going to continue to use it for better or worse, and we feel like we owe the community the proper analysis.”
The group added that they will also be leading a phase I full audit of OpenSSL in partnership with the Linux Foundation Critical Infrastructure Initiative, and that they are looking into the possibility of taking over the development of TrueCrypt, or forking it:
In the meantime, users who still choose to trust the software can download it from this trusted archive.