Slashdot Mirror
VeraCrypt Security Audit Reveals Many Flaws, Some Already Patched (helpnetsecurity.com)
Orome1 quotes Help Net Security: VeraCrypt, the free, open source disk encryption software based on TrueCrypt, has been audited by experts from cybersecurity company Quarkslab. The researchers found 8 critical, 3 medium, and 15 low-severity vulnerabilities, and some of them have already been addressed in version 1.19 of the software, which was released on the same day as the audit report [which has mitigations for the still-unpatched vulnerabilities].
Anyone want to share their experiences with VeraCrypt? Two Quarkslab engineers spent more than a month on the audit, which was funded (and requested) by the non-profit Open Source Technology Improvement Fund "to evaluate the security of the features brought by VeraCrypt since the publication of the audit results on TrueCrypt 7.1a conducted by the Open Crypto Audit Project." Their report concludes that VeraCrypt's security "is improving which is a good thing for people who want to use a disk encryption software," adding that its main developer "was very positive along the audit, answering all questions, raising issues, discussing findings constructively..."
Anyone want to share their experiences with VeraCrypt? Two Quarkslab engineers spent more than a month on the audit, which was funded (and requested) by the non-profit Open Source Technology Improvement Fund "to evaluate the security of the features brought by VeraCrypt since the publication of the audit results on TrueCrypt 7.1a conducted by the Open Crypto Audit Project." Their report concludes that VeraCrypt's security "is improving which is a good thing for people who want to use a disk encryption software," adding that its main developer "was very positive along the audit, answering all questions, raising issues, discussing findings constructively..."
Well, if you read the article you'll notice a long list of vulnerabilities which already existed in truecrypt and have been patched in veracrypt. Regardless of whether they're 'backdoors' or not truecrypt demonstrably has a large number of vulnerabilities that don't exist in veracrypt.
I would like this answer too, please, someone...
If you have system encryption enabled (traditional BIOS, no UEFI support) and you have a strong passphrase and you are the only user and you're not worried that anyone can physically tamper with your system boot or rescue disc - in which case they might just as well use a key logger - then there's no critical issues.
There are several nice to haves that make weak passwords stronger by increasing iterations, close various attacks that other users/processes can do and cleaning up better if you only use containers. The ugliest is probably a privilege escalation attack, malicious software can use the TrueCrypt driver to escalate to admin but if malware is running on your machine you probably have big problems anyway.
Probably the most interesting part about VeraCrypt is the potential for UEFI boot but apparently there's no way to secure erase the keyboard buffer, all you can do is reset it (which they didn't do, but do now) and hope the driver actually overwrites it. But if you can dump the entire UEFI memory area it might still be there. Hopefully legacy BIOS mode will be around for a while longer, in this case simpler is safer.
Live today, because you never know what tomorrow brings
My Apple computers do not phone home. Citation needed or stfu.
Would you like to see my little snitch logs? Mac OS gets chattier with every new release.
TrueCrypt 7.1a
TrueCrypt 7.1a hashes.
TrueCrypt from Switzerland -- Swiss Mirror