[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Fwd: is truecrypt dead?
Matej Kovacic <[email protected]> writes:
> just for info, TrueCrypt is being audited, and phase 1 report is quite
> good.
No, no it wasn't. Here's the report:
> https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_Assessment.pdf
Take a minute to read it, I'll wait. Pay particular attention to pages
11 and 12, where they define the severity classes. Having a "Medium"
severity vulnerability means:
> Individual user's information at risk, exploitation would be bad for
> client's reputation, moderate financial impact, possible legal
> implications for client
So when they state that there are no less than *four* vulnerabilities
that they found in this class, that is *far from quite good*.
Thankfully, three of them are classified as difficulty: high to exploit,
but the "Weak Volume Header key derivation algorithm" is only
difficulty: medium, which referring again to pages 11 and 12 is quite
exploitable.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20140529/983f7470/attachment.sig>