A group of developers has decided to continue supporting free encryption tool TrueCrypt which appeared to have suddenly closed its doors last week, leaving customers angry and confused.
A new website has been created at truecrypt.ch where Thomas Bruderer and Joseph Doekbrijder are co-ordinating efforts to make existing versions of the product available again and eventually to fork the code for future development.
Before this happens they will need to get “interested and capable” people on board on the technical and legal side, and then wait for the results of an on-going security audit of the code which could hold the key to why it was abandoned in the first place.
As the new '.ch' domain suggests, the new TrueCrypt project has been moved to Switzerland, in order to “guarantee no interruption due to legal threats” which may come from the US authorities.
Recently launched encrypted email service ProtonMail also decided to base itself out of Swiss datacenters for similar reasons.
The new development team is also making a break with the past in revealing their names. TrueCrypt’s original authors famously stayed anonymous, adding to the mystery surrounding why they ditched the service last week.
The TrueCrypt.ch project claims to offer “all the downloads which are not available at TrueCrypt.org at the moment” and a link to the TrueCrypt Source on GitHub.
“Currently it is very unclear what really happened. Was it really just the end of a 10-year effort, or was it driven by some government. While a simple defacement is more and more unlikely we still don't know where this is going,” wrote Bruderer and Doekbrijder.
“However the last 36 hours showed clearly that TrueCrypt is a fragile product and must be based on more solid ground. We start now with offering to download the Truecrypt file as is, and we hope we can organize a solid base for the Future.”
TrueCrypt’s original development team shocked users of the product last week when they abruptly redirected visitors to its homepage to a sourceforge page claiming that it “may contain unfixed security issues”.
They also claimed that TrueCrypt was terminated since Windows Vista/7/8 already offers built-in disk encryption in the form of BitLocker.
A new “decrypt only” version, TrueCrypt 7.2, was made available for download for Windows, Mac OS X and Linux users.
Some have speculated that the developers shut the service down before the on-going security audit of its code found some serious vulnerabilities. Others argued that the shutdown may have been forced by the US authorities, as they did with secure email service Lavabit.
Security researcher Steve Gibson wrote in a lengthy post that TrueCrypt is still safe to use and that its shutdown had been well planned by its original development team.
“For reasons that remain a titillating source of hypothesis, intrigue and paranoia, TrueCrypt's developers chose not to graciously turn their beloved creation over to a wider Internet development community, but rather, as has always been their right granted by TrueCrypt's longstanding license, to attempt to kill it off by creating a dramatically neutered 7.2 version that can only be used to view, but no longer to create new, TrueCrypt volumes,” he added.
“But that's not the way the Internet works. Having created something of such enduring value, which inherently requires significant trust and buy-in, they are rightly unable to now take it back. They might be done with it, but the rest of us are not.”