TrueCrypt is safe to use in 2023?
24
closes Dec 31
40%
chance

Several years ago TrueCrypt creators basically abandoned it and encouraged its users to use other encryption software instead.

However, it is not clear if there are any actual weaknesses in Truecrypt or if it is simply no longer updated, but still secure.


This is more of a "crowdsource opinions" market than a "predict the future" market.
Hence, I will resolve this "no" if any clear evidence of TrueCrypt being insecure arises (maybe there is such evidence out there already, I have just missed it), and I will resolve as "no" if the No-side has more than 75% for several days, indicating a clear consensus.
If neither of these occur before the end of the year I will resolve this to "Yes".

Sort by:
Gigacasting avatar
Gigacastingis predicting YES at 34%

“Paid to stop working on it and to call it ‘unsafe’ so … could backdoor its replacement” = how these things work

Fivelidz avatar
Five lidzbought Ṁ20 of YES

Which version?

fredrickslick avatar
fredrick slickbought Ṁ100 of NO

Looks like there were some insecurities found in 2015 by James Forshaw after TrueCrypt stopped being updated

"Security researcher James Forshaw found two critical bugs in the program that could compromise an end-user's machine. While neither allowed an attacker backdoor access, the Register reports that both could have been used to install spyware to the host machine or record keystrokes. Either of these could've been sufficient to allow an attacker to capture the drive's encryption key, depending on how good the end-users security practices were."

https://www.extremetech.com/internet/215285-critical-truecrypt-security-bugs-finally-found

https://www.vice.com/en/article/3dkxky/encryption-program-truecrypt-has-a-critical-vulnerability

fredrickslick avatar
fredrick slickbought Ṁ100 of NO

@fredrickslick Little more info on the vulnerabilities found:

"Both the TrueCrypt vulnerabilities has been rated as 'Critical', tagged as:

1.) CVE-2015-7358: The first vulnerability occurs because the TrueCrypt driver lacks in properly validating the drive letter symbolic link used for mounting volumes.

As a result, an attacker can gain access to a running process and get full administrative privileges.

2.) CVE-2015-7359: Whereas, in the second vulnerability the TrueCrypt driver lacks in validating the user in the security context, exploiting which an attacker can impersonate as an authenticated user."-TheHackerNews

official publishing detailing the vulnerabilities:

https://web.archive.org/web/20151116030315/https://code.google.com/p/google-security-research/issues/detail?id=538

https://web.archive.org/web/20151116030340/https://code.google.com/p/google-security-research/issues/detail?id=537

Fivelidz avatar
Five lidzis predicting YES at 22%

@fredrickslick

  1. I don't think that's an issue for 7.1a

  2. Though it might show the encrypted drive you still have to have the password.

Calling that a vulnerability is a stretch unless you want to explain it further?

Fivelidz avatar
Five lidzbought Ṁ15 of YES

@fredrickslick

On a closer read through .

You are pointing out vulnerabilities with windows driver code rather than truecrypt itself?

The circumstances of that being a vulnerability are also very narrow and inconsequential and arise out of keeping an encrypted mounted.

I see several issues with calling this a vulnerability. I'd trust truecrypt more than anything else out there still.

fredrickslick avatar
fredrick slickis predicting NO at 58%

@Fivelidz I have a very surface level knowledge of this field (which is why my comment is 99% copy and paste) so I cant have a full understanding of the issues mentioned, but when VeraCrypt themselves use the word "vulnerabilities" I'm inclined to believe them.

From what I understand CVE-2015-7358 specifically is a local elevation of privilege bug with the truecrypt.sys driver that allows any user on your system administrative privilege over the entirety of your drive, the details of how this would be done are laid out in line 37 of this article. OpenCve.io rates this bug CVSS v3.0 7.8/10, cvedetails.com rates it CVSS 7.2, redhat.com rates it CRITICAL (the highest level on their severity rating)

CVE-2015-7359 is less serious as said in line 13-14 of this article "I think the only thing this gives an attacker would be to unmount other users volumes or inspect their configuration."

Neither of these are patched in 7.1a but they are in VeraCrypt 1.15, and while neither may be an issue if no one else has access to your system (imo) it meets the criteria for "unsafe" and as I see it when VeraCrypt is still maintained to this day using any software for digital security that hasn't been maintained for 8 years is simply bad practice that might bite you one day.

Fivelidz avatar
Five lidzis predicting YES at 23%

@fredrickslick I'd rather use truecrypt still as I suppose I'm more familiar with it and know it to work. I think there is a bit of a conspiracy against truecrypt. I have a lack of trust for any alternative.

I can't find the exact article but I had apprehensions for veracrypt such as this.

https://eprint.iacr.org/2019/092

The software one would use in virtual machines which would be mounted by true crypt and potentially mount truecrypt are also probably as old as it.

I'd rather trust something that still works after 8 years than something new that I'm less familiar with ┐⁠(⁠ ⁠∵⁠ ⁠)⁠┌.

If my encrypted computer which is a virtual machine by truecrypt is on a harddrive, and that harddrive is captured by hostile agents, how would that vulnerability in anyway help them gain access to it?

I don't exactly understand I suppose.

Primer avatar
Primerbought Ṁ10 of YES

TrueCrypt probably was the most popular encryption software, and it was open source. If it really was "not secure", I'd expect some serious flaw having been discovered in TrueCrypt by now.

I'd still trust TrueCrypt over some proprietary, closed source product.

PeterBerggren avatar
Peter Berggrenbought Ṁ500 of NO

TrueCrypt is officially indicated on its website as "not secure," and it basically tells you only to use it to migrate existing data.

Alana avatar
Alanabought Ṁ45 of NO

There’s absolutely no reason to use TrueCrypt when you can use VeraCrypt instead. TrueCrypt has been unmaintained for 8 years.

NiklasWiklander avatar
Niklas Wiklander

@Alana I have a great reason: laziness :)

NiklasWiklander avatar
Niklas Wiklander

@Alana I have a great reason: laziness :) However, I will make the switch if this market tells me to.

Related markets

Will Bitwarden be hacked and have encrypted vaults be exposed in 2023?8%
Will forms of encryption that prevent Internet services from spying on their users face restrictions in the United States during 2023?25%
Will any encryption scheme suggested by the NSA's Commercial National Security Algorithm Suite be broken by April 2028?31%
Will another cloud-based password management service with >1 million users be hacked and have user password vaults stolen in 2023?31%
Will there be a major cybersecurity incident in 2023? (major enough to be covered by the NYT)88%
Will a cloud service used by the Dutch government be hacked in 2023?26%
Will there be a software security incident caused by the new .zip TLD before the end of 2024?48%
Will any new proof about the safety of transferring RL agents from one environment to another be published by March 2023?50%
Will the Kids Online Safety Act be signed into law in 2023?39%
Will Google announce a significant hack/data breach in 2023?12%
Will there be a cyberbreach of a Dutch government organization in 2023?41%
Part 2: In 2023, will there be a virtual explosion of technological solutions to assist in the protection of the privacy interests of minors?14%
Will blockchain tech find a killer app in 2023?5%
Will my scooter be stolen in 2023?32%
Will Kalshi enable 2FA for accounts in 2023?52%
Will the US ban TikTok in 2023?16%
Will production, distribution or possession of deepfake porn be specifically made a crime by the end of 2023?28%
In 2023, will more and more boards demand companies document their security readiness plans and emergency preparedness training for both cyber and physical threats?55%
Will the uber hacker be found before 2024?13%
Will I test positive for COVID in 2023?58%