VeraCrypt Security Audit Reveals Many Flaws, Some Already Patched

Orome1 quotes Help Net Security: VeraCrypt, the free, open source disk encryption software based on TrueCrypt, has been audited by experts from cybersecurity company Quarkslab. The researchers found 8 critical, 3 medium, and 15 low-severity vulnerabilities, and some of them have already been addressed in version 1.19 of the software, which was released on the same day as the audit report [which has mitigations for the still-unpatched vulnerabilities].
Anyone want to share their experiences with VeraCrypt? Two Quarkslab engineers spent more than a month on the audit, which was funded (and requested) by the non-profit Open Source Technology Improvement Fund "to evaluate the security of the features brought by VeraCrypt since the publication of the audit results on TrueCrypt 7.1a conducted by the Open Crypto Audit Project." Their report concludes that VeraCrypt's security "is improving which is a good thing for people who want to use a disk encryption software," adding that its main developer "was very positive along the audit, answering all questions, raising issues, discussing findings constructively..."

Should we be using TrueCrypt 7.1a instead?

Honest question. Should we be using TrueCrypt 7.1a instead? I, personally, am. We live in scary times, and it is hard to trust any authority. I feel that TrueCrypt 7.1a, the last version prior to the strange shut down of the project, is probably less likely to have backdoors than any of the newer TrueCrypt versions or forks (specifically, VeraCrypt and CipherShed). Can someone convince me otherwise?

Re: Should we be using TrueCrypt 7.1a instead?

[gweihir]

The length of the list of vulnerabilities is completely irrelevant. What matters is whether they are a risk in the specific deployment scenario. Security cannot be estimated without understanding.

I use it and appreciate the developer's approach.

[RoverDaddy]

I am not a security expert and can't tell you whether Veracrypt is 100% secure, but I've been using it and I'm reasonably convinced that at least nobody short of a 'state actor' is likely to get at my data, and they're not the people I'm securing data from. It's the petty thieves who might steal my backup drives, or somebody who finds a USB stick I accidentally drop on the ground, that I'm protecting myself from.

I've been to the support forums for Veracrypt and my impression is the developer is trying hard to be transparent and responsive and make the product as secure as possible.

Re:Needs improvement

[ledow]

I'd be MUCH more worried if said audit produced nothing at all.

The fact that the flaws are mostly in the new bootloader code - new, untested, complicated - is EXACTLY right. You don't need to use that bootloader, and TrueCrypt NEVER had that kind of bootloader (so the choice is nothing or VeraCrypt in that instance).

There is nothing to suggest that the people behind TrueCrypt were any better - their audit turned up stuff too, and that was YEARS and YEARS after their first releases. VeraCrypt code hasn't had even have that amount of time to catch up.

So I don't see a problem. I've used both. TrueCrypt is going to stop working eventually - whether that's because UEFI bootloaders become ubiquitous, which is what MS are pushing for, or some other reason.

Where security is concerned, better a project that people are actively working on (i.e. looking for, and fixing, flaws) than something that was once secure stagnating because nobody is coding on it. Take OpenSSL and OpenOffice as the prime examples of this lately.

Illusion of secure encryption on an insecure OS

[ffkom]

Veracrypt may provide decent cryptographic functionality, but given that its main audience is Windows and Mac users, the two huge security holes they cannot fix are called "MicroSoft" and "Apple". You can make Veracrypt as secure and error-free as you want, as long as it has to expose the decrypted data to some commercial, closed-source operating system that phones home like crazy to provide its manufacturer with valuable data, there is no actual security. Not to mention the backdoors builtin for certain 3-letter-agencies.

Re:Illusion of secure encryption on an insecure OS

[jbn-o]

Indeed; there are many reasons not to do business with Apple and many reasons to never use proprietary, user-subjugating software. Contrary to one of the follow-ups to the parent post, this has everything to do with TrueCrypt, VeraCrypt, and any other free software to which one entrusts their sensitive information. There's nothing these programs can do to fix the real problem. The user has to switch operating systems to a fully free software, user-respecting OS and install only free software on top of that to do the best we can do to avoid the aforementioned problems. So while nobody can blame these free software programs for leaked keys, passphrases, and other leaked information there's no reason to trust the underlying proprietary software these free programs rely on to do everything they do when running on non-free OSes.

VeraCrypt is sponsored by Microsoft?

[Futurepower(R)]

VeraCrypt is hosted on a Microsoft web site: VeraCrypt at codeplex.com.

That scares me. Consider this Network World article: Windows 10 is possibly the worst spyware ever made. Quote: "Buried in the service agreement is permission to poke through everything on your PC."