back to article Audit sees VeraCrypt kill critical password recovery, cipher flaws

Security researchers have found eight critical, three medium, and 15 low -severity vulnerabilities in a one month audit of popular encryption platform VeraCrypt. The audit is the latest in a series prompted by the shock abandoning of TrueCrypt in May 2014 due to unspecified security concerns claimed by the hitherto trusted …

  1. Anonymous Coward
    Holmes

    I'll be sticking with TrueCrypt..

    ...until hell freezes over. Or until someone discovers an as-yet unnoticed failure. Whichever comes first... and considering the astonishing amount of scrutiny it's received since (and before) its peculiar quasi-demise, I'm confident to bet my privacy it'll be the former.

    "The auditors say the review is useful and beneficial for users, but is too expensive to be conducted for every version of encryption tools. ®"

    Quite.

    1. Gotno iShit Wantno iShit

      Re: I'll be sticking with TrueCrypt..

      I'm still on TC too and will likely stay with it a while yet. But it is good that one of the successors has now been audited. Before that there was no way on earth I would move off TC. Now a comparison can be made of the known low risk vulnerabilities of TrueCrypt and the known low risk vulnerabilities of VeraCrypt. I'll have known over unknown any day.

      Anyone who dumped TC for Vera back when the ballyhoo kicked off should be feeling rather silly right now. Anyone who dumped TC for something else that hasn't yet been publicly audited should be feeling very nervous indeed.

      1. Charles 9 Silver badge

        Re: I'll be sticking with TrueCrypt..

        I switched from TC to VC, and I don't feel silly. For the most part, it's improved on TC and dealt with a few problems that turned. Since I don't use the more esoteric functions, I haven't had much to worry about at this point.

      2. Destroy All Monsters Silver badge
        Paris Hilton

        Re: I'll be sticking with TrueCrypt..

        Anyone who dumped TC for Vera back when the ballyhoo kicked off should be feeling rather silly right now.

        I don't understand. Isn't VeraCrypt basically TrueCrypt + some extras? Meaning TrueCrypt is the unaudited, buggy version and will stay that way?

        1. Anonymous Coward
          Anonymous Coward

          Re: I'll be sticking with TrueCrypt..

          I don't understand. Isn't VeraCrypt basically TrueCrypt + some extras? Meaning TrueCrypt is the unaudited, buggy version and will stay that way?

          Uh oh, is Wikipedia down again?

          :)

          1. Destroy All Monsters Silver badge
            Headmaster

            Re: I'll be sticking with TrueCrypt..

            Uh oh, is Wikipedia down again?

            Get up your lazy arse and at least write a one-liner, millenial slacker.

            1. Anonymous Coward
              Anonymous Coward

              Re: I'll be sticking with TrueCrypt..

              Get up your lazy arse and at least write a one-liner, millenial slacker.

              1 - isn't it "get OFF your lazy arse"?

              2 - that WAS a one-liner;

              3 - I think it's worth reserving answers for sensible questions or for humorous effect. That question wasn't, as 1 sec worth of searching would have turned up the Wikipedia article where all of what was asked was explained. If the commentard would have asked for details of what he/she had looked up I would have bothered to find a sensible answer, but being too stupid/lazy/vapid/(etc) to look up something declassifies that question as worthy of a considered reply and justifies turning it into a target of derision, in context executed rather gently.

              4 - the above may be a hint that your "millennial" classification was a miss too :).

              So there.

              1. Destroy All Monsters Silver badge

                Re: I'll be sticking with TrueCrypt..

                You seem to be a right suave know-it-all motherfucker.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: I'll be sticking with TrueCrypt..

                  You seem to be a right suave know-it-all motherfucker.

                  Why thank you, Sir. I'm also a terrible windup, but don't tell anyone.

                  :)

    2. Anonymous Coward
      Anonymous Coward

      Re: I'll be sticking with TrueCrypt..

      "Fix issues raised by Quarkslab audit:

      Fix leak of password length in MBR bootloader inherited from TrueCrypt."

    3. Anonymous Coward
      Anonymous Coward

      Re: I'll be sticking with TrueCrypt..

      TrueCrypt has a flaw in it that allows hidden volumes to be detected.

      Earlier versions of VeraCrypt also have this problem, but was fixed in version 1.18...

      https://veracrypt.codeplex.com/discussions/657302

      Besides, VeraCrypt supports (since 1.17) passwords containing things like Kanji, Russian characters, etc.

      1. Cynic_999 Silver badge

        Re: I'll be sticking with TrueCrypt..

        "

        TrueCrypt has a flaw in it that allows hidden volumes to be detected

        "

        I'm far from convinced that that is the case. My reading of the discussion referred to is that some guy reported that he could detect the presence of a hidden volume, and scored a high success rate in a test, the details of which have not been specified, and refuses to say how he was able to tell the difference. The Veracrypt developer went into panic mode, took a wild guess at how the detection worked, and claims it is fixed. Quite frankly the guess as to the mechanism is not very plausible, as it would mean that it is possible to detect the presence of a block of plaintext zeros by analysing the ciphertext - and if that is true there are far bigger problems than the detection of a hidden volume.

        Depending on how the test was carried out, I can think of a couple of magicians' tricks that would enable someone to make a fairly accurate guess as to which files contain encrypted volumes and which do not that would be of no concern in any real application.

  2. Anonymous Coward
    Anonymous Coward

    You'd think this would get government funding..

    I am surprised it's so hard to find funding for it.

    Given the massive problems UK government has had with lost data I would have thought that an audited version would be very attractive to have anywhere where data is sent via insecure means. I guess the fear that someone leaks something undetectable is greater that the worry about leaking data - after all, that never has any real consequences. Fines are basically paid by the tax payer anyway.

    OK, it appears I answered myself here :).

    1. monty75

      Re: You'd think this would get government funding..

      A bigger benefit would come from persuading government agencies to actually use encryption. The number of breaches that came from unencrypted data being passed around far outweigh those caused by someone exploiting bugs in encryption software.

      Also (black helicopter alert!), why would the government want us plebs to have strong encryption?

  3. Peter X

    Vera vs True

    One thing that has caused me not to use VC yet is that it will no longer create TrueCrypt containers; according to Wikipedia that's because "The VeraCrypt development team believes that the old TrueCrypt format is too vulnerable to an NSA attack and thus it must be abandoned."

    Which is fine... but up until now I've not been inclined to switch.

    Also, it's source repo is on CodePlex... and that place always has a funny smell to it!

    So is it time to switch or should I wait another year to so before thinking about it?

    1. Anonymous Coward
      Anonymous Coward

      Re: Vera vs True

      "One thing that has caused me not to use VC yet is that it will no longer create TrueCrypt containers;"

      VC won't MAKE TrueCrypt containers (and this new version deprecates a cipher), but it'll still let you USE them. Just remember to toggle the TrueCrypt option when accessing it. One of the reasons VC doesn't trust the TC container is that it doesn't use enough rounds in its key generation processes. That's the main reason VC takes more time to initially access: lots more rounds, which makes obtaining the volume key much more difficult.

      "Also, it's source repo is on CodePlex... and that place always has a funny smell to it!"

      Then you can always explore the GitHub source repo.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019