Several years ago TrueCrypt creators basically abandoned it and encouraged its users to use other encryption software instead.
However, it is not clear if there are any actual weaknesses in Truecrypt or if it is simply no longer updated, but still secure.
This is more of a "crowdsource opinions" market than a "predict the future" market.
Hence, I will resolve this "no" if any clear evidence of TrueCrypt being insecure arises (maybe there is such evidence out there already, I have just missed it), and I will resolve as "no" if the No-side has more than 75% for several days, indicating a clear consensus.
If neither of these occur before the end of the year I will resolve this to "Yes".
“Paid to stop working on it and to call it ‘unsafe’ so … could backdoor its replacement” = how these things work
Looks like there were some insecurities found in 2015 by James Forshaw after TrueCrypt stopped being updated
"Security researcher James Forshaw found two critical bugs in the program that could compromise an end-user's machine. While neither allowed an attacker backdoor access, the Register reports that both could have been used to install spyware to the host machine or record keystrokes. Either of these could've been sufficient to allow an attacker to capture the drive's encryption key, depending on how good the end-users security practices were."
https://www.extremetech.com/internet/215285-critical-truecrypt-security-bugs-finally-found
https://www.vice.com/en/article/3dkxky/encryption-program-truecrypt-has-a-critical-vulnerability
@fredrickslick Little more info on the vulnerabilities found:
"Both the TrueCrypt vulnerabilities has been rated as 'Critical', tagged as:
1.) CVE-2015-7358: The first vulnerability occurs because the TrueCrypt driver lacks in properly validating the drive letter symbolic link used for mounting volumes.
As a result, an attacker can gain access to a running process and get full administrative privileges.
2.) CVE-2015-7359: Whereas, in the second vulnerability the TrueCrypt driver lacks in validating the user in the security context, exploiting which an attacker can impersonate as an authenticated user."-TheHackerNews
official publishing detailing the vulnerabilities:
https://web.archive.org/web/20151116030315/https://code.google.com/p/google-security-research/issues/detail?id=538
https://web.archive.org/web/20151116030340/https://code.google.com/p/google-security-research/issues/detail?id=537
I don't think that's an issue for 7.1a
Though it might show the encrypted drive you still have to have the password.
Calling that a vulnerability is a stretch unless you want to explain it further?
On a closer read through .
You are pointing out vulnerabilities with windows driver code rather than truecrypt itself?
The circumstances of that being a vulnerability are also very narrow and inconsequential and arise out of keeping an encrypted mounted.
I see several issues with calling this a vulnerability. I'd trust truecrypt more than anything else out there still.
@Fivelidz I have a very surface level knowledge of this field (which is why my comment is 99% copy and paste) so I cant have a full understanding of the issues mentioned, but when VeraCrypt themselves use the word "vulnerabilities" I'm inclined to believe them.
From what I understand CVE-2015-7358 specifically is a local elevation of privilege bug with the truecrypt.sys driver that allows any user on your system administrative privilege over the entirety of your drive, the details of how this would be done are laid out in line 37 of this article. OpenCve.io rates this bug CVSS v3.0 7.8/10, cvedetails.com rates it CVSS 7.2, redhat.com rates it CRITICAL (the highest level on their severity rating)
CVE-2015-7359 is less serious as said in line 13-14 of this article "I think the only thing this gives an attacker would be to unmount other users volumes or inspect their configuration."
Neither of these are patched in 7.1a but they are in VeraCrypt 1.15, and while neither may be an issue if no one else has access to your system (imo) it meets the criteria for "unsafe" and as I see it when VeraCrypt is still maintained to this day using any software for digital security that hasn't been maintained for 8 years is simply bad practice that might bite you one day.
@fredrickslick I'd rather use truecrypt still as I suppose I'm more familiar with it and know it to work. I think there is a bit of a conspiracy against truecrypt. I have a lack of trust for any alternative.
I can't find the exact article but I had apprehensions for veracrypt such as this.
https://eprint.iacr.org/2019/092
The software one would use in virtual machines which would be mounted by true crypt and potentially mount truecrypt are also probably as old as it.
I'd rather trust something that still works after 8 years than something new that I'm less familiar with ┐( ∵ )┌.
If my encrypted computer which is a virtual machine by truecrypt is on a harddrive, and that harddrive is captured by hostile agents, how would that vulnerability in anyway help them gain access to it?
I don't exactly understand I suppose.
TrueCrypt probably was the most popular encryption software, and it was open source. If it really was "not secure", I'd expect some serious flaw having been discovered in TrueCrypt by now.
I'd still trust TrueCrypt over some proprietary, closed source product.
TrueCrypt is officially indicated on its website as "not secure," and it basically tells you only to use it to migrate existing data.
There’s absolutely no reason to use TrueCrypt when you can use VeraCrypt instead. TrueCrypt has been unmaintained for 8 years.
@Alana I have a great reason: laziness :) However, I will make the switch if this market tells me to.
