[Cryptography] Fork of TrueCrypt

Dave Howe davehowe.pentesting at gmail.com
Wed Jun 4 10:08:03 EDT 2014


Merging in several replies :)

ianG wrote:
> Bill Cox wrote:
>> There is a discussion list for the TrueCrypt fork over at:
>> 
>> http://truecrypt.ch:2080/
>> 
>> Does anyone here know the guys behind this fork?  In their Vision 
>> statement, they said they wanted to add an auto-update feature,
>> and have the dev team working on continual feature enhancements.

> Auto-update is a key feature in keeping the user-base secure.  It's 
> the only way to get the roll-out of major critical security bug
> fixes out in o(month) as opposed to never.

Could add some enterprise-friendly features too; An OSS TC project could
get a lot more support (financial and otherwise) from corporates if
there were reasonable ways for a corporate IT desk to remote-reset the
password. There are ways to achieve that securely, while keeping control
local to the company (any system where you have to contact the vendor
for a reset key is defacto insecure)

Of course, such a solution is also a backdoor - but backdoors are ok
provided you are in control of them :)

>> If they integrate code that talks to the network on purpose, I'm 
>> going to do my own fork instead.  If they get a team adding new 
>> code constantly, I'll also have to pass on this fork.  Do they
>> know anything about crypto?

Many programs have a "check online every n days for an update" option.
The decent ones allow you to turn that off, or when on, notify you that
an update is available with a "yes/no/later" dialogue. A corporate
version could check on a corporate-controlled server for updates signed
by a corporate (internal) key (thus allowing integration with key
recovery solutions, which will almost certainly require a specific build)

> Does a higher base security for most justify a lower absolute 
> security for a few?  This is a question not a few devs have had to 
> wrestle with.

As always, the question is who has control. A feature you can easily
turn off (and verify in the source that off really does mean off) is at
worst a minor roadbump taking a few more seconds during the install process.

A feature that is on and can't be disabled would be a significant issue.

>> An auto-update feature pinging the server would alert any network 
>> snooper of exactly who was using the TrueCrypt fork.  From a 
>> security point of view, auto-update is DOA.

But would be (presumably) HTTPS from the standard site. If an attacker
can distinguish the traffic, we have bigger problems than them being
aware truecrypt is installed somewhere on your network.... if he can't,
he just knows you visited the TC site, which is in itself info of note,
but not something we can do much about.



More information about the cryptography mailing list