Monday, September 29, 2014

... Is Not Secure ...

A friend recently mentioned that Bitlocker is no longer secure, and that he had migrated off of it.  This surprised me.  In my mind, they were the ones doing cryptography right, and making it available to everyone.

So why does my friend think that?  Well, their website just links to a page that says:
WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

Well, them telling us they're not secure sounds like a very good reason to believe it isn't, but I felt the need to delve deeper.  The good news is, when it comes to IT security, you rarely need to go further than Steve Gibson.  It turns out he has a nice page on it, and is not recommending that people stop using it.

The short exploitation is that the creators wanted out, and said as much in less public ways.  But without updates, who will sound the alarm if it does someday, "contain unfixed security issues"?  The answer was simple.  Sound the alarm now.

So that brings us to the conundrum, do you use it?  It seems clear that they didn't sound the alarm because it is insecure, but because it probably will be someday.  But do you feel safe using a product that the designers have explicitly said is "not secure"?  I guarantee you're not going to sell your boss on it.

Personally, I'm going to keep using it.  I fully admit that one reason that I won't lose any sleep over it, is that I don't have anything encrypted that would be life changing if it got out.

No comments:

Post a Comment