Several years ago TrueCrypt creators basically abandoned it and encouraged its users to use other encryption software instead.
However, it is not clear if there are any actual weaknesses in Truecrypt or if it is simply no longer updated, but still secure.
This is more of a "crowdsource opinions" market than a "predict the future" market.
Hence, I will resolve this "no" if any clear evidence of TrueCrypt being insecure arises (maybe there is such evidence out there already, I have just missed it), and I will resolve as "no" if the No-side has more than 75% for several days, indicating a clear consensus.
If neither of these occur before the end of the year I will resolve this to "Yes".
Related questions
🏅 Top traders
| # | Name | Total profit |
|---|---|---|
| 1 | Ṁ250 | |
| 2 | Ṁ179 | |
| 3 | Ṁ161 | |
| 4 | Ṁ126 | |
| 5 | Ṁ88 |
Should resolve YES as defined in the description. However I did not know (or maybe it wasn't a feature yet) about possibility to resolve to a certain percentage. This is a binary issue but since there are some weaknesses identified (however, pretty far-fetched for the normal user), I will not resolve 100% yes, but 80% yes. Thanks for participating.
The successor VeraCrypt says that "It is based on original TrueCrypt 7.1a with security enhancements and modifications", that implies TrueCrypt has some issues with security
Looks like there were some insecurities found in 2015 by James Forshaw after TrueCrypt stopped being updated
"Security researcher James Forshaw found two critical bugs in the program that could compromise an end-user's machine. While neither allowed an attacker backdoor access, the Register reports that both could have been used to install spyware to the host machine or record keystrokes. Either of these could've been sufficient to allow an attacker to capture the drive's encryption key, depending on how good the end-users security practices were."
https://www.extremetech.com/internet/215285-critical-truecrypt-security-bugs-finally-found
https://www.vice.com/en/article/3dkxky/encryption-program-truecrypt-has-a-critical-vulnerability
@fredrickslick Little more info on the vulnerabilities found:
"Both the TrueCrypt vulnerabilities has been rated as 'Critical', tagged as:
1.) CVE-2015-7358: The first vulnerability occurs because the TrueCrypt driver lacks in properly validating the drive letter symbolic link used for mounting volumes.
As a result, an attacker can gain access to a running process and get full administrative privileges.
2.) CVE-2015-7359: Whereas, in the second vulnerability the TrueCrypt driver lacks in validating the user in the security context, exploiting which an attacker can impersonate as an authenticated user."-TheHackerNews
official publishing detailing the vulnerabilities:
https://web.archive.org/web/20151116030315/https://code.google.com/p/google-security-research/issues/detail?id=538
https://web.archive.org/web/20151116030340/https://code.google.com/p/google-security-research/issues/detail?id=537
I don't think that's an issue for 7.1a
Though it might show the encrypted drive you still have to have the password.
Calling that a vulnerability is a stretch unless you want to explain it further?
On a closer read through .
You are pointing out vulnerabilities with windows driver code rather than truecrypt itself?
The circumstances of that being a vulnerability are also very narrow and inconsequential and arise out of keeping an encrypted mounted.
I see several issues with calling this a vulnerability. I'd trust truecrypt more than anything else out there still.
@Fivelidz I have a very surface level knowledge of this field (which is why my comment is 99% copy and paste) so I cant have a full understanding of the issues mentioned, but when VeraCrypt themselves use the word "vulnerabilities" I'm inclined to believe them.
From what I understand CVE-2015-7358 specifically is a local elevation of privilege bug with the truecrypt.sys driver that allows any user on your system administrative privilege over the entirety of your drive, the details of how this would be done are laid out in line 37 of this article. OpenCve.io rates this bug CVSS v3.0 7.8/10, cvedetails.com rates it CVSS 7.2, redhat.com rates it CRITICAL (the highest level on their severity rating)
CVE-2015-7359 is less serious as said in line 13-14 of this article "I think the only thing this gives an attacker would be to unmount other users volumes or inspect their configuration."
Neither of these are patched in 7.1a but they are in VeraCrypt 1.15, and while neither may be an issue if no one else has access to your system (imo) it meets the criteria for "unsafe" and as I see it when VeraCrypt is still maintained to this day using any software for digital security that hasn't been maintained for 8 years is simply bad practice that might bite you one day.
@fredrickslick I'd rather use truecrypt still as I suppose I'm more familiar with it and know it to work. I think there is a bit of a conspiracy against truecrypt. I have a lack of trust for any alternative.
I can't find the exact article but I had apprehensions for veracrypt such as this.
https://eprint.iacr.org/2019/092
The software one would use in virtual machines which would be mounted by true crypt and potentially mount truecrypt are also probably as old as it.
I'd rather trust something that still works after 8 years than something new that I'm less familiar with ┐( ∵ )┌.
If my encrypted computer which is a virtual machine by truecrypt is on a harddrive, and that harddrive is captured by hostile agents, how would that vulnerability in anyway help them gain access to it?
I don't exactly understand I suppose.
@Alana I have a great reason: laziness :) However, I will make the switch if this market tells me to.