It would be nice if there was a central, continuously updated webpage page that shows the Audit findings and if those finding have been corrected or not for whatever reason + the VC version that correction took place . That way the users could see the current versions attack vectors.
Last edit: Blip of Consciousness 2020-09-08
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Blip, I second your motion. That's what I came here looking for. I just read the audit doc and wanted to find out what progress has been made regarding the findings. I am still using TrueCrypt 7.1a, but would like to upgrade to VeraCrypt to take advantage of the additional features, especially the more robust headers, but also would like to avoid the added problems found in the audit related to the TrueCrypt fixes, et. al. I agree a table with the issues and some kind of indication as to completeness would be awesome. Perhaps this has been covered in the release notes, but just not in one place. If so, if someone could point them out, that would be great.
And many thanks to Mounir for carrying on with this fantastic program, tireless efforts and valuable additions.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
@grizzak: thank you for your feedback. Indeed there is no central place for the audit fixes since I put everything in the release notes.
For latest analysis of VeraCrypt, I would like to redirect you to the security evaluation performed by the German BSI this year and for which they publish a complete report in English on December 10th 2020.
The report can be found at the bottom of the following page: https://www.bsi.bund.de/DE/Publikationen/Studien/VeraCrypt/veracrypt.html
I will create a new thread dedicated to this BSI security evaluation.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
@idrassi Thank you for responding so quickly and providing the BSI assessment link. I just completed a detailed read of the entire document. Table 10 provides the information I was seeking, and it appears nearly all of the security issues that have been identified have been addressed. Thank you for that.
I am thoroughly impressed with the detail with which BSI conducted their investigation into VeraCrypt. While initially reading the executive summary, I felt that the report was quite critical of VeraCrypt, but upon further reading I discovered that most of the negativity was related to code quality relative to standards and continued use of outdated library codebases, andnot security.
I do feel satisfied with the security VeraCrypt offers, and the improvements you've made over TrueCrypt, especially for my particular use case as file volumes. The only thing that really concerns me from the report is Chapter 6, as it relates to future code development and maintainability, as well as project longevity, particularly if you remain the sole contributor to the project given the prospect of burnout without additional help (though your efforts have been Herculean to date!).
I only wish I had the expertise in cryptography and the system-level functionality to be able to contribute to the project in a meaningful way, such as documentation, refactoring, replacing legacy code, etc. At this point, given all the legacy code, it all seems like a MASSIVE undertaking.
Thanks again for all your effort.
Cheers
Shane
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
https://www.bsi.bund.de/DE/Publikationen/Studien/VeraCrypt/veracrypt.html "Die gewünschte Seite wurde nicht gefunden" - Site not found!
By the way: Quite remarkable such an important software is maintained by just one person! Would you fly a plane so rarely checked and examined? Furthermore, there is not much convinicing encryption software available, generally. Though it is an important topic, nowadays! Why is Veracrypt free, at least at first glance? Why is the programmer doing this?
Last edit: E.Best 2021-05-13
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
QuarksLab Audit Results of VeraCrypt Version 1.18
Summary Report:
https://ostif.org/the-veracrypt-audit-results/
Full report:
https://ostif.org/wp-content/uploads/2016/10/VeraCrypt-Audit-Final-for-Public-Release.pdf
Or
http://blog.quarkslab.com/resources/2016-10-17-audit-veracrypt/16-08-215-REP-VeraCrypt-sec-assessment.pdf
Last edit: Enigma2Illusion 2016-10-18
It would be nice if there was a central, continuously updated webpage page that shows the Audit findings and if those finding have been corrected or not for whatever reason + the VC version that correction took place . That way the users could see the current versions attack vectors.
Last edit: Blip of Consciousness 2020-09-08
Blip, I second your motion. That's what I came here looking for. I just read the audit doc and wanted to find out what progress has been made regarding the findings. I am still using TrueCrypt 7.1a, but would like to upgrade to VeraCrypt to take advantage of the additional features, especially the more robust headers, but also would like to avoid the added problems found in the audit related to the TrueCrypt fixes, et. al. I agree a table with the issues and some kind of indication as to completeness would be awesome. Perhaps this has been covered in the release notes, but just not in one place. If so, if someone could point them out, that would be great.
And many thanks to Mounir for carrying on with this fantastic program, tireless efforts and valuable additions.
@grizzak: thank you for your feedback. Indeed there is no central place for the audit fixes since I put everything in the release notes.
For latest analysis of VeraCrypt, I would like to redirect you to the security evaluation performed by the German BSI this year and for which they publish a complete report in English on December 10th 2020.
The report can be found at the bottom of the following page: https://www.bsi.bund.de/DE/Publikationen/Studien/VeraCrypt/veracrypt.html
I will create a new thread dedicated to this BSI security evaluation.
@idrassi Thank you for responding so quickly and providing the BSI assessment link. I just completed a detailed read of the entire document. Table 10 provides the information I was seeking, and it appears nearly all of the security issues that have been identified have been addressed. Thank you for that.
I am thoroughly impressed with the detail with which BSI conducted their investigation into VeraCrypt. While initially reading the executive summary, I felt that the report was quite critical of VeraCrypt, but upon further reading I discovered that most of the negativity was related to code quality relative to standards and continued use of outdated library codebases, andnot security.
I do feel satisfied with the security VeraCrypt offers, and the improvements you've made over TrueCrypt, especially for my particular use case as file volumes. The only thing that really concerns me from the report is Chapter 6, as it relates to future code development and maintainability, as well as project longevity, particularly if you remain the sole contributor to the project given the prospect of burnout without additional help (though your efforts have been Herculean to date!).
I only wish I had the expertise in cryptography and the system-level functionality to be able to contribute to the project in a meaningful way, such as documentation, refactoring, replacing legacy code, etc. At this point, given all the legacy code, it all seems like a MASSIVE undertaking.
Thanks again for all your effort.
Cheers
Shane
https://www.bsi.bund.de/DE/Publikationen/Studien/VeraCrypt/veracrypt.html "Die gewünschte Seite wurde nicht gefunden" - Site not found!
By the way: Quite remarkable such an important software is maintained by just one person! Would you fly a plane so rarely checked and examined? Furthermore, there is not much convinicing encryption software available, generally. Though it is an important topic, nowadays! Why is Veracrypt free, at least at first glance? Why is the programmer doing this?
Last edit: E.Best 2021-05-13