Latest posts by Michael Pietroforte (see all)
- Results of the 4sysops member and author competition in 2018 - Tue, Jan 8 2019
- Why Microsoft is using Windows customers as guinea pigs - Reply to Tim Warner - Tue, Dec 18 2018
- PowerShell remoting with SSH public key authentication - Thu, May 3 2018
After the revelations of Microsoft’s role in the PRISM surveillance program, I guess many security-minded IT pros began to wonder if they should still trust Microsoft’s encryption solutions and if the Open Source tool TrueCrypt might be a safer option.
I am not really known as an Open Source enthusiast, but even I was surprised when I heard about the results of the C’t magazine inquiries (2013/16, p. 118-119) regarding the trustworthiness of TrueCrypt. It is one of the mantras of the Open Source movement that the community guarantees the security of free software by relentlessly inspecting the source code for vulnerabilities and backdoors.
Whereas I had my doubts that this is always true for relatively unknown Open Source software, I assumed that at least the popular tools, such as TrueCrypt, are safe because the community is big enough to ensure that the code is clean.
I am not talking about common security holes like the FireWire attack or the Stoned hack. Implementation flaws happen to the best developers and can even make encryption schemes vulnerable that have been mathematically proven secure.
What surprised me most in the C’t article is that it is unclear who is really behind TrueCrypt. The truecrypt.org domain was registered to dubious postal addresses in different countries and now belongs to TrueCrypt Developers Association LC, a letterbox company in Nevada. The digital signature of TrueCrypt 7.1a is owned by the TrueCrypt Foundation and is expired. Not really trustworthy—at least questionable—for a security solution, if you ask me.
Some Open Source supporters argue that you can always check the source code if you have doubts about the trustworthiness of the software. However, in practice, this is not really a realistic option for the average IT pro. You have to rely on people who are blessed with a lot of time.
The Ubuntu Privacy Remix Team had the time in 2011 and analyzed TrueCrypt 7.0a. They didn’t find backdoors, and their only criticism was that the key files were not well protected. However, this can only be considered as a random sample. How often is someone willing to invest that much time and take such a close look as did the Ubuntu team? But there is another, perhaps bigger, problem.
How can you be sure that the downloadable binaries are based on the publicly available source code? The geeks at C’t tried to verify this and found that it is amazingly complicated. Just to give you an idea what is needed for the compilation of the Windows version: a particular Visual Studio 2008 version (particular hotfixes installed), NASM assembler, the archaic Microsoft C compiler 1.52 from 1994, PKCS header files from RSAsecurity.com, the SDK of Windows 7, and the WDK 7.1.0.
The way they describe it, it took them a while to find this constellation. Nevertheless, they were still not able to get exactly the same binaries as on the download page, although they believe that it could be done by investing “considerably more time.”
Just to be clear, the C’t magazine does not claim that TrueCrypt contains backdoors. The point about all this is that, even with such a popular Open Source tool like TrueCrypt, it is extremely difficult to verify trustworthiness.
You might object that in Microsoft’s case it was already known that they are working with government agencies. Agreed, but if this is under the law, you can’t really blame Microsoft; you should blame the US government. The other question is if you trust a letterbox company like TrueCrypt Developers Association LC to always follow the law.
In my view, it is impossible to assert with 100% certainty that a complex application contains backdoors, even if you have the source code. Backdoors can always be disguised as vulnerabilities. If a security hole is detected later, the developers can always claim that it was just a bug. And, as we all know, you can never know if the software is buggy just by looking at the code.
Notice that I don’t claim that TrueCrypt is not trustworthy. You have to decide this for yourself. I am still using TrueCrypt to encrypt some of the files I stored in the cloud. I even think that the recommendation of the C’t magazine to always compile the software yourself instead of downloading the binaries is exaggerated. The point is that even if there are some people on this planet who can open my TrueCrypt files, they are most likely not interested in my top-secret data.
I wrote this post because, in the current discussion about PRISM, some people might get the wrong impression that it is better to count on Open Source when it comes to security software. I believe there is no general rule with regard to the question of whether Open Source or Closed Source software is more secure. How much confidence you can place in an application always depends on how much you trust the developers and the people behind them.
Are you now worried about your encrypted secrets?