3/12/2023 0 Comments Audit veracryptMost of its code came from an older form of encryption software called the TrueCrypt which has been discontinued in May 2014. As a matter of fact, it was only in August 2020 that the developers of VeraCrypt has been able to create and roll out a stable release of the software application program.īased on my research, VeraCrypt is not entirely original. While it is true that the encryption software application program has already been rolled out to the public for the last 7 years, there are still lots of things that needs improvement in the encryption system. However, I was still able to find out that IDRIX, the company behind VeraCrypt has currently a registered corporate office at 5 Avenue Ingres, 75016, Paris, France. There is little information about the identity of Mounir Idrassi which led to certain speculations that are quite unfounded. The company was founded by a person named Mounir Idrassi and served as the Chief Executive Officer (CEO) of the business organization. As a matter of fact, the VeraCrypt encryption software program has been initially developed by a French-based company called IDRIX on June 13, 2013. The link in the OP is to see a synopsis of the results of the audit, with a link to the full detailed technical results of the audit on the next page.īecause of our efforts, 8 critical issues were found and fixed in VeraCrypt, and we have verified that the code is generally safe and that the app does exactly what it says it does, securely.VeraCrypt is an encryption software application program that exists in the cybersecurity market for almost a decade already. This project (OSTIF) is to audit open-source software that is widely used by the public, to verify the integrity of the code, and find and fix as many flaws in the supported software as possible. The public can verify that there are no back doors or serious security problems in the software.Īn audit is hiring professionals, in this case the experts are QuarksLab, to comb through all of the source code for VeraCrypt and make sure that there are no serious security flaws or backdoors, and if there are flaws, that they get fixed. This is important because open-source software can then be verified as to exactly what it does. These projects release their source code for anyone to see. ![]() ![]() Open source software is different, it is ran by volunteers and not-for-profit, but for the public good. Having the source code unavailable makes it so that you can have a product with trade secrets that you can sell and profit from. This is to prevent other people from being able to easily copy their work. Most commercial software is distributed as compiled code only. The original code is called the source code, and the code that went through the compiler is compiled code. When a programmer makes code, it has to be ran through a compiler, which translates the language that the programmer has written the app in, to machine language that the machine can read and understand. I'll start at the beginning and build up to the answer. I wish we could just hit every project that everyone likes, and my list would be enormous, but we have finite resources to work with and securing funding is the vast majority of our work right now. Think projects like nginx, mysql, openssh, etc. If we were to expand that list, we would likely be adding more core infrastructure to security in new areas rather than certifying more apps in redundant areas. (VeraCrypt, OpenVPN, GnuPG, OTR, and OpenSSL). This is why we have selected the five projects that we have for our initial round of audits and support. We want to audit other FDE systems in the future, but our current roadmap involves certifying a single promising app in each area of crypto that empowers people to protect their data or reach free information. In any of these cases it would be hard to gain our stamp of approval after an audit. The VeraCrypt audit went extremely well across the board. We are new to this game, but we would recommend that the public avoid software in cases where we found a backdoor (or likely backdoor), if the project was uncooperative with fixing critical flaws, or if the projects audit went so badly that the project would be better to scrap entirely. In the future we plan to audit OpenVPN, GnuPG, Off-the-Record, and if necessary OpenSSL (the status of the public CII audit of OpenSSL is unclear). ![]() This is our first major audit, and our first time showing that we can deliver on our promises in a transparent and cost effective way.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |