Journalists who use the popular encryption tool TrueCrypt can relax. There is no evidence of any new or dangerous vulnerability in TrueCrypt, despite a recent scare over its integrity.
Six weeks ago, technologist and journalist Runa Sandvik reported in Forbes about a worrying notice on TrueCrypt’s website: a warning that the software is “not secure,” with instructions to replace it. Given recent news about critical technical vulnerabilities in other security software, this unexpected posting prompted widespread concern about the status of the open-source project and the security of TrueCrypt software.
CPJ initially concluded that despite the announcement, there was no apparent cause for alarm. With additional evidence released in the following weeks, CPJ is increasingly confident of its initial assessment that the TrueCrypt development team simply decided to discontinue development of the software, albeit in a particularly dramatic fashion. The developers’ reasons for this remain the subject of speculation, and given their carefully-guarded anonymity and reluctance to discuss their work, we are unlikely to ever know their reasons for sure.
There remains no new evidence of a novel vulnerability in TrueCrypt. In fact, the results of a multi-part audit to which TrueCrypt is being subjected have thus far been largely positive. Journalists are as safe using TrueCrypt today as they were last week, and will be next week.
Existing users of TrueCrypt 7.1 or 7.1a can and should continue to use those versions. TrueCrypt 7.1 is the version currently undergoing the audit, which is being organized by the Open Crypto Audit project. CPJ recommends against downloading or installing the 7.2 version of TrueCrypt, as that version has limited functionality.
The main TrueCrypt website no longer provides TrueCrypt 7.1 or 7.1a for download. CPJ recommends using the TrueCrypt archive maintained by Jurre van Bergen and Stefan Sundin. All versions of TrueCrypt have been digitally signed, and those signatures are available in the archive. Be sure to verify the authenticity of a download’s digital signature before use. To CPJ’s knowledge the fingerprint of TrueCrypt’s GPG code-signing certificate is:
C5F4 BAC4 A7B2 2DB8 B8F8 5538 E3BA 73CA F0D6 B1E0
Journalists should be cautious about downloading TrueCrypt elsewhere, as the current uncertainty about the program could be exploited by individuals or organizations seeking to distribute maliciously modified versions of the software.
Although much uncertainty remains about the future of TrueCrypt, journalists should not consign their existing installations to their computers’ recycling bins just yet. Because TrueCrypt is open-source, it is possible that a new team may continue developing the program in the future, possibly under a new name.
But watchfulness is advised. Given the importance of strong encryption to protecting one’s sources, it is crucial that journalists use–and be able to trust–the best tools available to them. With TrueCrypt’s future now uncertain, it may be prudent to consider transitioning to other software in the medium-to-long term.
CPJ will continue to monitor this situation and will provide additional guidance as developments occur.
Editor’s note: This post, originally titled “Journalists can safely use TrueCrypt, for now,” was updated on July 7, 2014, to reflect CPJ’s increased confidence that the recent events are a result of the TrueCrypt developers’ decision to discontinue work on the project, rather than the discovery of a new vulnerability.