Participants Open Crypto Audit Project Consider Fork Of TrueCrypt
Participants in the Open Crypto Audit Project, which checks the source code of the open source encryption tool TrueCrypt for possible security holes, have indicated that they are considering a TrueCrypt fork. However, there are doubts whether the license allows this.
Earlier this week, an unexpected announcement appeared on the Truecrypt webpage on SourceForge that the anonymous development team had stopped developing the encryption software with immediate effect. Microsoft cited the discontinuation of XP support as the reason. Also, TrueCrypt should no longer be used due to insecurity. A new 7.2 version released online can only decrypt TrueCrypt containers and users were redirected to Microsoft’s Bitlocker.
The announcements on the TrueCrypt page caused a lot of commotion and speculation. For example, many users thought that the site and possibly the software had been hacked by hackers, but there were also rumors that the creators were pressured by an unknown party to stop the project.
Matthew Green, a participant in the Open Crypto Audit Project audit program, thinks the TrueCrypt team pulled the plug on the project themselves. Among other things, signing the latest TrueCrypt version with the correct key and unaltered dns and whois records make that likely. Although Green has indirect contact with the anonymous developers, he has not yet received an explanation of the motivations of the development team. However, a colleague would have received an email saying: “We’ve worked hard on this for 10 years. Nothing lasts forever”.
Green goes on to say on the KrebsOnSecurity blog that he hopes a fork will be made of the TrueCrypt code. No security holes or backdoors were found during a first audit round, and a possible further development of the source code by another team could possibly further improve the quality. An anonymous developer who claims to represent a team of security specialists has already anonymously indicated to Reuters that they want to fork TrueCrypt.
One potential problem is the license of TrueCrypt. Although the code is open source, the license does not give users the explicit right to build a new encryption tool based on the source code. Green doesn’t have a solution for that yet, but any fork should get a clearer open source license. The Open Crypto Audit Project nevertheless continues to parse the source code in a second audit round, partly because the organization still has money left.