0

The Gibson Research Corporation (GRC) website is offering the following page with links to download Truecrypt 7.1a.

https://www.grc.com/misc/truecrypt/truecrypt.htm

My question is, can these downloads be trusted? Is there a way to identify if the downloaded programs have been modified from the original 7.1a release?

They offer a link to another site with the hashes of all Truecrypt 7.1a files, but how can we know if we can trust this site too?

I don't think this is the same as asking can you trust driver download websites? because the history behind Truecrypt is rather unique and the original developers of the software removed the links to the 7.1a version and now offer only a download to a cut down version of the software that doesn't encrypt volumes. The GRC website has stepped in to provide downloads to the 7.1a version, which they still argue is still fully functional and secure. This question is to address how can we trust these claims.

Community
  • 1
Jose B
  • 103
  • 3
  • 4
    Possible duplicate of [Can you trust driver download websites?](http://security.stackexchange.com/questions/130308/can-you-trust-driver-download-websites) or [How an experienced user decides a download is safe?](http://security.stackexchange.com/questions/82239/how-an-experienced-user-decides-a-download-is-safe/82308#82308) – Steffen Ullrich Oct 29 '16 at 15:29
  • 1
    @JoseB even though the programs are different, the same trust and verification issues apply. Trust the source, the download, and the hash. – schroeder Oct 29 '16 at 16:01
  • 1
    Truecrypt software is no more supported by the developers and it may contains security issues. Its better to use other similar softwares. For more info., pl see the `http://truecrypt.sourceforge.net/`. – Gaurav Kansal Oct 29 '16 at 16:01

1 Answers1

2

Even if we assume the files on GRC are untainted, I would still recommend avoiding it because Truecrypt is no longer under development. I would recommend using VeraCrypt instead. For the following reasons:

  • VeraCrypt is an actively developed fork of Truecrypt
  • VeraCrypt can manage volumes created using Truecrypt
  • There was recently an audit performed on VeraCrypt. 26 vulnerabilities were found; 8 of which are critical, which may reflect vulnerabilities in Trucerypt code. The VeraCrypt developers have patched many of the vulnerabilities already.
    More details are available here: https://ostif.org/the-veracrypt-audit-results/
human
  • 36
  • 1