TrueCrypt, the popular open-source encryption program, on Wednesday unexpectedly recommended that users drop its product and shift to Microsoft's Bitlocker.
TrueCrypt's Web page redirected itself to a SourceForge repository, which carried the following warning:
"WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues," a note at the top of the page read. "This page exists only to help migrate existing data encrypted by TrueCrypt."
The site continued: "The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP," it read. "Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform."
The page then goes on to describe how users should migrate their data from TrueCrypt to an encrypted BitLocker drive.
The move was especially puzzling, given that TrueCrypt, a popular security choice for PCWorld users for several years, had recently passed the first round of a security audit. iSec, the firm that did the audit, found 11 flaws, but none that were immediately exploitable. Otherwise, iSec said it "found no evidence of backdoors or intentional flaws".
Matthew Green, who teaches cryptoanalysis at Johns Hopkins and who worked on the audit, tweeted that he thought the change was a legitimate exit on the part of the developer, and not a hack. He said that he had attempted to contact the developers, and not heard back from them yet.
In the meantime, it's probably best that users who were going to download TrueCrypt simply hold off, until more information is revealed.