TrueCrypt: True Security, True Licensing

TrueCrypt was a great open-source encryption program. It created files that, when opened by the program, looked to your computer like an additional drive. Any files placed in that drive would be encrypted and protected from prying eyes.

Why would you do it?

  1. To keep files protected on your computer.
  2. To send files securely from one person to another.
  3. To protect files that you might store in the cloud, for example, on Dropbox.

I believe that the growth of the cloud, and the need to store and share files on someone else's (untrusted) servers, were a major impetus behind the growth of TrueCrypt.

TrueCrypt was great because of its simplicity, availability on all major platforms - Windows, Mac and Linux - and open-source nature. Anyone could read the code and contribute to it.

For most software, open-source is an advantage, a plus, but not critical. For encryption programs, open-source is crucial. The only way to know that a piece of software really is secure is to have many smart people take it apart. Very few companies have the resources to do so in-house, and even the largest only have dedicated a small number of people to analyzing encryption software.

Open-source software, on the other hand, is exposed to the entire user community of the Internet. Hundreds or thousands of smart people can look at different parts of the code and, jointly, find far more weaknesses - and fix them - than any one firm.

It is this very social nature that has led to the incredibly fast rate of improvement in open-source software. Fifteen years ago, almost all software was owned by companies, today more and more is open-source:

  • Operating systems: Windows to Linux
  • Web servers: Netscape to Apache and Nginx
  • Browsers: Netscape and Internet Explorer to Chromium and Firefox
  • Application servers: ColdFusion and IIS to JBoss and Jetty

Because errors and weaknesses in security software do not mean a failed page or bad data but leaked secure data, the level of review is crucial.

Just under a year ago, the TrueCrypt team surprised everyone with an announcement that they were stopping development of TrueCrypt immediately. In addition:

WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

On the heels of the Snowden leaks, speculation was rampant that the NSA had gotten to the developers, leading them to choose to cancel the product rather than compromise the security of their users.

Either way, the question became, was TrueCrypt - as of its last release - actually secure?

Last week, a group known as "Open Crypto Audit Project" completed their audit of TrueCrypt. In short, minus a few vulnerabilities, TrueCrypt was reasonably secure. There were no backdoors or other glaring or deliberate weaknesses.

Many who used TrueCrypt - and continue to do so - can breathe a sigh of relief. Additionally, those projects that grew out of TrueCrypt, forks such as VeraCrypt and CipherShed, which already fixed the stated vulnerabilities, can feel comfortable in continuing their work.

As with TrueCrypt, CipherShed and VeraCrypt are open-source, which exposes them to the same community-wide auditing as the original TrueCrypt.

The remaining question, then, is licensing. Do the developers of VeraCrypt and CipherShed have the right to use the TrueCrypt code as a basis for their products? This is a very sensitive area, one in which many companies stumble.

In short:

  • Just because software is available for free download does not necessarily mean you can use it in your product.
  • Just because software's source code is available for download does not necessarily mean you can modify and use it in your product.
  • You need to know the different licenses to understand what you can and cannot do with software products.

Unlike most open-source software, which uses one of a few well-known licenses , whose rules are clearly understood, TrueCrypt used a custom license called the "TrueCrypt license" (copy here).

Unlike how many interpreted it, TrueCrypt actually does allow forks, copies, modifications and other work with the source code. It just explicitly requires the modifier not to call their version TrueCrypt, imply that it is TrueCrypt, reference the TrueCrypt product or Website as some part of it. In short, "do what you want, but don't pretend you are us or that we are responsible for you."

Last year, I performed an audit of an acquisition target for a company. While I focused on the quality of the product they were contemplating purchasing and its ability to integrate with the acquirer's platform, I also did a complete review of software components integrated into the acquisition target. I wanted the acquirer to understand the complete risk profile of the target.

Summary

TrueCrypt was a great product. We may never understand why the developers chose to shut down the product, rather than keep it alive or, at the very least, hand it off to new volunteers from the community.

TrueCrypt's open-source nature allowed for it both to be audited and to be picked up and given a new lease on life. If it had been traditional, closed-source, commercial software, neither of these would have been possible.

The TrueCrypt story also highlights the complexity of encryption, and how hard it is to get it right. If you have to do cryptography anywhere, even as simple as password hashing, never implement it yourself! Use tried, true and tested open-source libraries available for your platform.

Finally, you must understand the licenses of your software, or your risk being in copyright violation. For a startup, this is especially important, as the legal liabilities could put your entire business at risk.

Do you know where you perform encryption in your product? Everyone does it, few know where. Do you know if you are using reliable and tested libraries or homegrown weak encryption?

Are you aware of all of the products integrated into your product? Do you know all of their licenses? Are you at risk of losing it all over copyright violations? What will your next investor, partner or acquirer discover when it matters the most?

Ask us to review your software and find your risks... before they do!