TrueCrypt is safe to use in 2023?
30
651
550
resolved Jan 1
Resolved as
80%

Several years ago TrueCrypt creators basically abandoned it and encouraged its users to use other encryption software instead.

However, it is not clear if there are any actual weaknesses in Truecrypt or if it is simply no longer updated, but still secure.


This is more of a "crowdsource opinions" market than a "predict the future" market.
Hence, I will resolve this "no" if any clear evidence of TrueCrypt being insecure arises (maybe there is such evidence out there already, I have just missed it), and I will resolve as "no" if the No-side has more than 75% for several days, indicating a clear consensus.
If neither of these occur before the end of the year I will resolve this to "Yes".

Get Ṁ200 play money

🏅 Top traders

#NameTotal profit
1Ṁ250
2Ṁ179
3Ṁ161
4Ṁ126
5Ṁ88
Sort by:

Should resolve YES as defined in the description. However I did not know (or maybe it wasn't a feature yet) about possibility to resolve to a certain percentage. This is a binary issue but since there are some weaknesses identified (however, pretty far-fetched for the normal user), I will not resolve 100% yes, but 80% yes. Thanks for participating.

bought Ṁ15 of NO

The successor VeraCrypt says that "It is based on original TrueCrypt 7.1a with security enhancements and modifications", that implies TrueCrypt has some issues with security

predicted YES

“Paid to stop working on it and to call it ‘unsafe’ so … could backdoor its replacement” = how these things work

bought Ṁ20 of YES

Which version?

bought Ṁ100 of NO

Looks like there were some insecurities found in 2015 by James Forshaw after TrueCrypt stopped being updated

"Security researcher James Forshaw found two critical bugs in the program that could compromise an end-user's machine. While neither allowed an attacker backdoor access, the Register reports that both could have been used to install spyware to the host machine or record keystrokes. Either of these could've been sufficient to allow an attacker to capture the drive's encryption key, depending on how good the end-users security practices were."

https://www.extremetech.com/internet/215285-critical-truecrypt-security-bugs-finally-found

https://www.vice.com/en/article/3dkxky/encryption-program-truecrypt-has-a-critical-vulnerability

bought Ṁ100 of NO

@fredrickslick Little more info on the vulnerabilities found:

"Both the TrueCrypt vulnerabilities has been rated as 'Critical', tagged as:

1.) CVE-2015-7358: The first vulnerability occurs because the TrueCrypt driver lacks in properly validating the drive letter symbolic link used for mounting volumes.

As a result, an attacker can gain access to a running process and get full administrative privileges.

2.) CVE-2015-7359: Whereas, in the second vulnerability the TrueCrypt driver lacks in validating the user in the security context, exploiting which an attacker can impersonate as an authenticated user."-TheHackerNews

official publishing detailing the vulnerabilities:

https://web.archive.org/web/20151116030315/https://code.google.com/p/google-security-research/issues/detail?id=538

https://web.archive.org/web/20151116030340/https://code.google.com/p/google-security-research/issues/detail?id=537

predicted YES

@fredrickslick

  1. I don't think that's an issue for 7.1a

  2. Though it might show the encrypted drive you still have to have the password.

Calling that a vulnerability is a stretch unless you want to explain it further?

bought Ṁ15 of YES

@fredrickslick

On a closer read through .

You are pointing out vulnerabilities with windows driver code rather than truecrypt itself?

The circumstances of that being a vulnerability are also very narrow and inconsequential and arise out of keeping an encrypted mounted.

I see several issues with calling this a vulnerability. I'd trust truecrypt more than anything else out there still.

predicted NO

@Fivelidz I have a very surface level knowledge of this field (which is why my comment is 99% copy and paste) so I cant have a full understanding of the issues mentioned, but when VeraCrypt themselves use the word "vulnerabilities" I'm inclined to believe them.

From what I understand CVE-2015-7358 specifically is a local elevation of privilege bug with the truecrypt.sys driver that allows any user on your system administrative privilege over the entirety of your drive, the details of how this would be done are laid out in line 37 of this article. OpenCve.io rates this bug CVSS v3.0 7.8/10, cvedetails.com rates it CVSS 7.2, redhat.com rates it CRITICAL (the highest level on their severity rating)

CVE-2015-7359 is less serious as said in line 13-14 of this article "I think the only thing this gives an attacker would be to unmount other users volumes or inspect their configuration."

Neither of these are patched in 7.1a but they are in VeraCrypt 1.15, and while neither may be an issue if no one else has access to your system (imo) it meets the criteria for "unsafe" and as I see it when VeraCrypt is still maintained to this day using any software for digital security that hasn't been maintained for 8 years is simply bad practice that might bite you one day.

predicted YES

@fredrickslick I'd rather use truecrypt still as I suppose I'm more familiar with it and know it to work. I think there is a bit of a conspiracy against truecrypt. I have a lack of trust for any alternative.

I can't find the exact article but I had apprehensions for veracrypt such as this.

https://eprint.iacr.org/2019/092

The software one would use in virtual machines which would be mounted by true crypt and potentially mount truecrypt are also probably as old as it.

I'd rather trust something that still works after 8 years than something new that I'm less familiar with ┐⁠(⁠ ⁠∵⁠ ⁠)⁠┌.

If my encrypted computer which is a virtual machine by truecrypt is on a harddrive, and that harddrive is captured by hostile agents, how would that vulnerability in anyway help them gain access to it?

I don't exactly understand I suppose.

bought Ṁ10 of YES

TrueCrypt probably was the most popular encryption software, and it was open source. If it really was "not secure", I'd expect some serious flaw having been discovered in TrueCrypt by now.

I'd still trust TrueCrypt over some proprietary, closed source product.

bought Ṁ500 of NO

TrueCrypt is officially indicated on its website as "not secure," and it basically tells you only to use it to migrate existing data.

bought Ṁ45 of NO

There’s absolutely no reason to use TrueCrypt when you can use VeraCrypt instead. TrueCrypt has been unmaintained for 8 years.

@Alana I have a great reason: laziness :)

@Alana I have a great reason: laziness :) However, I will make the switch if this market tells me to.