TrueCrypt is one of the most widely used disk-encryption applications in the world. But though it's open source, it's never had its security or features -- or its precompiled binaries -- audited thoroughly.
But now cryptography researchers Kenneth White and Matthew Green have decided to raise the money to have TrueCrypt's source code thoroughly audited by disinterested third parties. The results of the audit will be tracked on the website IsTrueCryptAuditedYet.com. (The answer thus far: No.)
Of all the encryption or security software out there with source code available, why audit TrueCrypt? Green puts it this way: "There's a shortage of high-quality and usable encryption software out there. TrueCrypt is an enormous deviation from this trend. It's nice, it's pretty, it's remarkably usable."
But the problems with TrueCrypt, especially in the post-Snowden age, are many and unnerving. For one, while some folks have looked at the source code, there's never been a really systematic, rigorous analysis of the program by professional cryptographers.
The Ubuntu Privacy Group did conduct its own analysis of the program's behavior, and while it didn't find anything that looked like an obvious backdoor, the group did find strange discrepancies in the way TrueCrypt works on different platforms, along with a possible attack on the way keyfiles are used. (They didn't find anything that looked like a backdoor, though.)
Second, since most people use the precompiled binaries of the program rather than generating the program from source code, there's speculation about whether the binaries offered at TrueCrypt's site are trustworthy. The program is also not easy to compile from its source code, as a number of people have discovered.
Finally, and maybe most important, no one knows who actually wrote the program.
The creators might well be taking pains to hide their identities to avoid being harassed, which makes sense. There might well be people foolish enough to think that threatening the creators of the program would be a way to get them to disclose a weakness in the software and thus compromise every TrueCrypt volume on the planet. (Unlikely.)
Still, as Green puts it, "I would feel better if I knew who the TrueCrypt authors were."
The audit proposed by Green and White covers four points: Have the source code audited by a professional outfit qualified to do such work; have a lawyer analyze the terms of the source code license used by TrueCrypt, which is not considered to be a true open source license due to some of its terms; pay out bounties for any bugs found in the code; and create binaries that can be verified against the source code.
Open source code is generally considered easier to secure than closed source code, but that doesn't mean open source code is automatically more secure -- it just means the auditing process is easier to conduct. Expertise is still needed -- and in the real world, expertise worth having is worth buying.
This story, "Is TrueCrypt truly secure? Let's have a fundraiser to find out," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.