On Steve Gibsons blog,, https://www.grc.com/misc/truecrypt/truecrypt.htm, he indicates that “We should know much more about a trustworthy TrueCrypt in the late summer of 2014.” It is now officially fall and I cannot find any information on how phase II is progressing even after doing a variety of searches with Google using several different search terms. The latest entry on the “official” audit page, http://istruecryptauditedyet.com/, dated April 14, 2014 indicates that phase I is complete and that “Phase II begins on the formal cryptanalysis.” That was over six months ago. Has there been any news on how the audit is progressing? You would think someone would have time to post at least a couple of lines even if it isn’t complete to keep the people who donated funds for the audit informed.
TrueCrypt audit status - unknown The 2 announced TrueCrypt successors (TCNext and Ciphershed) - all quiet, nothing released. It's a strange situation. The last version of TrueCrypt was downloaded 4 million times, and there was once an active user forum. Now there is just silence. Where did everyone go? LOL
I guess the publication of any information before they've completed is dangerous, because people at risk could take the wrong call. However, I see nothing wrong with publishing updates of planned dates and so on. So yeh, this is very worrying. It'll be quite a while before successors can take up the reins, I'm not surprised they haven't released anything so far, I'd be suspicious of quality if they had.
J_L You're right, I forgot to add VeraCrypt to the mix. However, consider the following: (1) VeraCrypt claims to be more secure than TC (more iterations during RIPEMD160 and SHA-2 encryption). This may be true, but the entire encryption / decryption process has not been independently reviewed. (2) On its own page, VeraCrypt claims that its latest version (released September 4) has approx 18,000 downloads. I don't wish to judge the effectiveness of VeraCrypt, nor can I. However, the download data hints that VeraCrypt has not been widely adopted by the millions of TrueCrypt users. My wild guess is that a very large % are still using TC on a "wait and see" basis.
I was not aware of their actually being some forks until after I started this thread. Since then I have downloaded VeraCrypt and installed it. What I found in using it is that it looks very similar to Truecrypt. I guess that is not all that surprising since it is a fork of Truecrypt but to my mind it makes the Truecrypt audit even more important. I know the author of Veracrypt indicates that he looked at the source code and found there were no problems or back doors and that he actually altered the code a bit to improve the security, but the foundation of it is still Truecrypt. The bottom line is that until we know how safe and secure Truecrypt is, we have no way of knowing if the starting point for the forks is safe and secure. If the audit finds a weakness in Truecrypt, I would bet that all the forks will have it as well. I agree with deBoetie that I can see no reason for not publishing timelines and providing some indication of progress. The fact that it is taking so long certainly gives the appearance of the auditors doing a detailed analysis but it is just that, the “appearance”. For all anyone knows they could do nothing for many months and then do a quick once over in two weeks time and say it took many months. Who is auditing the auditors? In the end, for the average user who is not versed in cryptography and programming, using any encryption program is based on faith and ever since the authors of Truecrypt cast doubts on their work my faith has been shaken for all encryption programs.
What's really happening is impossible to say. I have to wonder if the auditors are being coerced or silenced. Possible scenario. If the audit found a fatal flaw, would the government use an NSL or another countries equivalent to prevent its revelation as a national security issue, so that only they could use it?
It is all very very suspicious, the developers announcing they is abandoning the project in the middle of the audit and now 6 months after phase 2 was supposed have began, not a word about it. Everything is very suspicious, you no longer know who's opinion to trust on anything.
Without hearing from the developers in a verifiable way, we can't know if they did abandon TrueCrypt or if they're even alive. IMO, this whole thing stinks of deception, coercion, and creating doubt among users. I'm not a TC user but if I was, I'd stay with the last known good version. I still think that there's nothing wrong with TC itself, but that something was found to be very wrong with Windows.
I am on your "page". I will defend TC to the end until I know something different. Windows on the other hand is another story - no proof, just an educated guess.
Agreed on pretty much all counts. It reaks of them being coerced, as you said to abandon the project by a 3 letter agency they hinted at, not even subtly. And the way they said it made it sound like they can't guarantee your safety anymore because XP is no longer supported, and they trust no MS OS since, more-so than an indictment of their own product. They don't really recommend BitLocker, but rather just say you may as well just use them because it doesn't matter anyhow post XP. It's something I've suspected for a long time now and this has only confirmed it all the more. And I don't even trust any of these auditors... I don't know them or anything about them. Until I personally see people's volumes being decrypted before my very eyes I'm not going anywhere. Currently using v7.1, and suspect I will continue to for a long time.
Maybe there'll be no absolute way to confirm TC's security, but I personally hope auditors are still doing their job well and they're genuine. Some will laugh at me as too much optimistic, but simply there's not so much alternatives. DiskCryptor doesn't support container usage and VHD mount is not convinient at all, and even doesn't support Linux. BestCrypt is paid and I don't know how much they're secure. VeraCrypt is almost same as TC and has serious performance issue. EncFS with Dokan, EncFS is proved to be not robust (though I'm looking forward to update) and Dokan is almost abandoned software. Bitlocker? My Windows doesn't support it and anyway it doesn't support Linux. Yeah, TC is the best untill serious vulnerability is discoverd.