Dan Bowman sent me this link to Steve Gibson’s analysis of Truecrypt, a suddenly dear departed piece of full disk encryption software.
The important thing to remember right now is that we still don’t know what’s going on.
Johns Hopkins cryptography professor Matthew Green is heading up an effort to audit the Truecrypt code. Last month he said the code could be of higher quality, but at that point he hadn’t found anything truly horrible in there either.
That said, his analysis of the cryptography itself is phase 2. Cryptography is notoriously difficult to do–even when cryptography is your specialty, you can get it wrong.
So it’s premature to declare Truecrypt 7.1 as the greatest piece of software ever written. Green did find some flaws that need to be fixed. As far as we know, right now Truecrypt is better than nothing, but the most important part of Green’s work isn’t finished yet. Green has said he is going to finish his audit of the code. He probably won’t find perfection. He may find a fatal flaw that makes it all come crashing down. More likely, he’ll find something in between. But until those findings come out, it’s all speculation.
Truecrypt’s license allowed someone else to come along, take the existing code, act on Green’s findings, and make it better. It’s called Veracrypt. But going open source doesn’t guarantee people will work on it.
Gibson’s page on Truecrypt is a good reference page, but his cheerleading is premature. Gibson is a talented software developer in his own right, but cryptography isn’t his specialty. At the company where I work, we use Truecrypt for some things, and until we know otherwise we are going to continue to use it, but we haven’t made any final decisions on it yet.
Update: Here’s an analysis by Mark Piper, a penetration tester by trade, who explains the history and the issues today.
