Slashdot Mirror
VeraCrypt Security Audit Reveals Many Flaws, Some Already Patched (helpnetsecurity.com)
Orome1 quotes Help Net Security: VeraCrypt, the free, open source disk encryption software based on TrueCrypt, has been audited by experts from cybersecurity company Quarkslab. The researchers found 8 critical, 3 medium, and 15 low-severity vulnerabilities, and some of them have already been addressed in version 1.19 of the software, which was released on the same day as the audit report [which has mitigations for the still-unpatched vulnerabilities].
Anyone want to share their experiences with VeraCrypt? Two Quarkslab engineers spent more than a month on the audit, which was funded (and requested) by the non-profit Open Source Technology Improvement Fund "to evaluate the security of the features brought by VeraCrypt since the publication of the audit results on TrueCrypt 7.1a conducted by the Open Crypto Audit Project." Their report concludes that VeraCrypt's security "is improving which is a good thing for people who want to use a disk encryption software," adding that its main developer "was very positive along the audit, answering all questions, raising issues, discussing findings constructively..."
Anyone want to share their experiences with VeraCrypt? Two Quarkslab engineers spent more than a month on the audit, which was funded (and requested) by the non-profit Open Source Technology Improvement Fund "to evaluate the security of the features brought by VeraCrypt since the publication of the audit results on TrueCrypt 7.1a conducted by the Open Crypto Audit Project." Their report concludes that VeraCrypt's security "is improving which is a good thing for people who want to use a disk encryption software," adding that its main developer "was very positive along the audit, answering all questions, raising issues, discussing findings constructively..."
VeraCrypt/True were already secure -enough-. Cracking through the holes is usually more effort than local law enforcement, your boss or the local mob will care about. If you're on the radar of worse people, they can toss you in jail or threaten your family. So while I consider better security a good thing when it doesn't increase cost or inconvenience, it's not really an essential move forward.
The bigger problem is common passwords, leaving the volume open, having open drives automatically backed up to "the cloud", emailing documents... things these security code fixes cannot address. We don't hear often that the Feds have used a security hole to extract data from a user's system.
I think so. TrueCrypt 7.1a has, as far as I remember, only local exploits that matter. In the regular scenario (laptop), there is no other user and they do not matter at all. I do not trust the VeraCrypt person.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.