Today, the TrueCrypt website and SourceForge project page suddenly changed,
indicating the end of TrueCrypt development.
truecrypt.org now redirects to
their SourceForge project page, and the content has been
replaced with a surprising message:
Not only has development officially ceased, but TrueCrypt is being declared "not secure", and the official webpage is suggesting that people migrate to BitLocker! (BitLocker is the drive encryption solution built in to some versions of Windows Vista and later.) Furthermore, a new version 7.2 had been released, which warns users that TrueCrypt is insecure. The repository had been scrubbed, and all previous binaries had been deleted.
I'm sure you could almost hear the collective WTF?! from everyone in the InfoSec community.
A series of edits indicating that the software had been discontinued were even posted to the [TrueCrypt Wikipedia][trucrypt-wiki] page by a user with the handle Truecrypt-end.
At first, it seemed like some pranksters had managed to take over the TrueCrypt website, and poke fun by suggesting users migrate to their inferior commercial competitor, BitLocker. Well, the DNS records had not changed, so everything was good there. And SourceForge indicated that there was no suspicious behavior on the account (ya know, aside from closing everything down!)
Of course there are rumors abound at all of the tech watering holes, from
Slashdot to the
/r/sysadmin subreddit to the
InfoSec Stack Exchange site and of course Twitter.
While many still believe that the project was hacked, others are pondering the
possibility that the devs were asked to insert a back-door, and subject to a
gag-order preventing them from disclosing the requirement. The TrueCrypt
development team has remained behind the big black curtain for most of its
development which makes the situation even more curious. Perhaps a
vulnerability had been discovered and the developers simply didn't want to be
involved with the product any more. There is certainly no shortage of
opinions on the matter. The most interesting theory I've heard is that
this is a sort of warrant canary.
So what about this new version 7.2?
The binaries were signed with the same GPG key as all previous releases, indicating that this release was "official", or at least produced by someone with access to the private key.
TrueCrypt.exe executable and the
drivers were signed (a la Microsoft Authenticode) with a different certificate
than 7.1.1, but that previous certificate expired shortly after the last
release. This new certificate was issued (to the same named entity) shortly
before the previous certificate expired. It's very unlikely that someone was
able to spoof a new certificate in this manner, and had planned it two years
ago. [Screenshots tomorrow.]
The changes to the latest version's source code were posted to GitHub. This paints probably the most confusing picture of all.
First, the code has been littered with warning messages and error codes indicating that "Using TrueCrypt is not secure".
Next, we see that pretty much all of the code related to creating encrypted
volumes has been removed, and replaced with
We also notice that all code related to updates, error reporting,
user's guide/help, or anything pointing back to the TrueCrypt website
has been removed. Clearly, the developers consciously made the decision to
burn all bridges, and carefully executed a plan to do so.
What's very bizarre however, is that while there were 4112 deletions, there were also 1760 additions to the code. Along with other minor bugfixes, it appears that in-place decryption was newly implemented. It looks as if this was code that was part of an upcoming release that brought some improvements after a two-year break. Unfortunately, it also came with mass deletions that rendered the software useless for anyone seeking to create encrypted content.
What are you thoughts?