QuarkLabs VeraCrypt Audit Results
https://ostif.org/the-veracrypt-audit-results/ https://ostif.org/wp-content/uploads/2016/10/VeraCrypt-Audit-Final-for-Publi... https://ostif.org/ostif-quarklab-and-veracrypt-e-mails-are-being-intercepted... VeraCrypt 1.18 and its bootloaders were evaluated. This release included a number of new features including non-western developed encryption options, a boot loader that supports UEFI (modern BIOSes), and more. QuarksLab found: 8 Critical Vulnerabilities 3 Medium Vulnerabilities 15 Low or Informational Vulnerabilities / Concerns This public disclosure of these vulnerabilities coincides with the release of VeraCrypt 1.19 which fixes the vast majority of these high priority concerns. Some of these issues have not been fixed due to high complexity for the proposed fixes, but workarounds have been presented in the documentation for VeraCrypt.
On 18 October 2016 22:38:43 GMT+01:00, grarpamp <grarpamp@gmail.com> wrote:
https://ostif.org/the-veracrypt-audit-results/ https://ostif.org/wp-content/uploads/2016/10/VeraCrypt-Audit-Final-for-Publi... https://ostif.org/ostif-quarklab-and-veracrypt-e-mails-are-being-intercepted...
VeraCrypt 1.18 and its bootloaders were evaluated. This release included a number of new features including non-western developed encryption options, a boot loader that supports UEFI (modern BIOSes), and more.
QuarksLab found: 8 Critical Vulnerabilities 3 Medium Vulnerabilities 15 Low or Informational Vulnerabilities / Concerns
This public disclosure of these vulnerabilities coincides with the release of VeraCrypt 1.19 which fixes the vast majority of these high priority concerns. Some of these issues have not been fixed due to high complexity for the proposed fixes, but workarounds have been presented in the documentation for VeraCrypt.
Are ostif.org a big target for DDoS? They hide behind Cloudflare and so become another useful site for gathering intel on ppl who would like to encrypt their files.
On Tue, Oct 18, 2016 at 5:55 PM, oshwm <oshwm@openmailbox.org> wrote:
Are ostif.org a big target for DDoS? They hide behind Cloudflare and so become another useful site for gathering intel on ppl who would like to encrypt their files.
Lol, true. Though there may be no browser cf cookie linking, (excepting the info integrated and bought sold on backend among sites servers, cf, and agencies entities), check if your browser reuses the same cf tls session keys / metadata for cf across sites...
On Tue, Oct 18, 2016 at 05:38:43PM -0400, grarpamp wrote:
https://ostif.org/the-veracrypt-audit-results/ https://ostif.org/wp-content/uploads/2016/10/VeraCrypt-Audit-Final-for-Publi... https://ostif.org/ostif-quarklab-and-veracrypt-e-mails-are-being-intercepted...
VeraCrypt 1.18 and its bootloaders were evaluated. This release included a number of new features including non-western developed encryption options, a boot loader that supports UEFI (modern BIOSes), and more.
QuarksLab found: 8 Critical Vulnerabilities 3 Medium Vulnerabilities 15 Low or Informational Vulnerabilities / Concerns
This public disclosure of these vulnerabilities coincides with the release of VeraCrypt 1.19 which fixes the vast majority of these high priority concerns. Some of these issues have not been fixed due to high complexity for the proposed fixes, but workarounds have been presented in the documentation for VeraCrypt.
Adding a little bit of cross check for those who bother: $ ls -l total 52004 -rw------- 1 justa justa 1523 Oct 19 10:50 README.TXT -rw------- 1 justa justa 212 Oct 19 10:49 VeraCrypt_1.19_Bundle.7z.checksums -rw------- 1 justa justa 543 Oct 19 10:49 VeraCrypt_1.19_Bundle.7z.sig -rw------- 1 justa justa 9157326 Oct 19 10:48 VeraCrypt_1.19.dmg -rw------- 1 justa justa 543 Oct 19 10:48 VeraCrypt_1.19.dmg.sig -rw------- 1 justa justa 17120742 Oct 19 10:48 veracrypt-1.19-setup.tar.bz2 -rw------- 1 justa justa 543 Oct 19 10:48 veracrypt-1.19-setup.tar.bz2.sig -rw------- 1 justa justa 661 Oct 19 10:50 veracrypt-1.19-sha256sum.txt -rw------- 1 justa justa 1109 Oct 19 10:50 veracrypt-1.19-sha512sum.txt -rw------- 1 justa justa 23219050 Oct 19 10:50 VeraCrypt_1.19_Source.tar.gz -rw------- 1 justa justa 543 Oct 19 10:48 VeraCrypt_1.19_Source.tar.gz.sig -rw------- 1 justa justa 543 Oct 19 10:48 VeraCrypt_1.19_Source.zip.sig -rw------- 1 justa justa 630400 Oct 18 03:57 VeraCrypt-Audit-Final-for-Public-Release.pdf -rw------- 1 justa justa 169417 Oct 19 10:49 VeraCrypt-DCS-EFI-LGPL_1.19_Source.zip -rw------- 1 justa justa 543 Oct 19 10:49 VeraCrypt-DCS-EFI-LGPL_1.19_Source.zip.sig -rw------- 1 justa justa 543 Oct 19 10:48 VeraCrypt Setup 1.19.exe.sig -rw------- 1 justa justa 2896857 Oct 19 10:48 VeraCrypt User Guide.pdf -rw------- 1 justa justa 543 Oct 19 10:48 VeraCrypt User Guide.pdf.sig $ md5sum * 99da8fc540fae0631a449a5cd1007efd README.TXT 7466e0be6bebb21a1993caa3f04b5a8e VeraCrypt_1.19_Bundle.7z.checksums 9a0a7ee8864d6ca19c90885b5faf2985 VeraCrypt_1.19_Bundle.7z.sig ac47f961951c723c1c936e13e088fdd7 VeraCrypt_1.19.dmg 5896ee728017626c627298a8c59ed0b9 VeraCrypt_1.19.dmg.sig 9323a12383de66d6ef411f94d73d6e59 veracrypt-1.19-setup.tar.bz2 23ded891d881fac6ad013c9f4e1d3690 veracrypt-1.19-setup.tar.bz2.sig fdac6b381b148789f48dcfae0d3597f6 veracrypt-1.19-sha256sum.txt 14c99661d296494f316db9de4d3980a8 veracrypt-1.19-sha512sum.txt 7a68365eda0ee9b76348ffca58bc733c VeraCrypt_1.19_Source.tar.gz 0a5e2b8861deb50637bde900a91a5805 VeraCrypt_1.19_Source.tar.gz.sig d8efed8450f7fc5f1c1493284916666d VeraCrypt_1.19_Source.zip.sig 53b6c13a8b3f9ae1ec39ac00e7cda517 VeraCrypt-Audit-Final-for-Public-Release.pdf f6d4187d72c638dfab2135e41d083a2c VeraCrypt-DCS-EFI-LGPL_1.19_Source.zip 021b0cf140a7c9f8b98b5877aaf5cd58 VeraCrypt-DCS-EFI-LGPL_1.19_Source.zip.sig 86bab71e9fb126c9d63b1ad42110fb03 VeraCrypt Setup 1.19.exe.sig 32c6a9357e56e0c824637b53e092abdc VeraCrypt User Guide.pdf 7493ae50eee5d20940b9686560b62673 VeraCrypt User Guide.pdf.sig $ sha256sum * 0c22381c1336ea19a3899ea8a7451fb287fa35b1203b764efa50bab03d92b255 README.TXT 087f739b0b3909d34af6e823b714dda05366124e84c3f0db4a8fb9deff2b0177 VeraCrypt_1.19_Bundle.7z.checksums df3eac3d0ac01626c41cd93542c7a6e6f9c1cf249f5af8b12adeb51b3a2b46d6 VeraCrypt_1.19_Bundle.7z.sig da098bba200d2cebb193bd699eef6dec7834c8eeb579ed40bcd21d45487e6ce7 VeraCrypt_1.19.dmg 2cfc96166e499dfa5a2b6cd1318430d1f7c48a465295e1a6e134baf5eb1e339a VeraCrypt_1.19.dmg.sig c76f13e1b78e56c8c0136481e502a2ec0da681fc2841b471856ef58b68c7cba7 veracrypt-1.19-setup.tar.bz2 57fdaef1e3b0f1ba6b4bdddb4e218d13375a613cd36d008f500771f0cd86e646 veracrypt-1.19-setup.tar.bz2.sig 04aea3d582e648ed5a3b8ee726214e6a7f435c37cf4d761403bd6023eb20a58a veracrypt-1.19-sha256sum.txt 434a2bbaaf5ef26e3a0679cc7803af0fba67838aa74977e6acf9a377db188885 veracrypt-1.19-sha512sum.txt db6016d91ef3acc6e566640a4580fae4013c8662c05e5deca502b1587fd03d84 VeraCrypt_1.19_Source.tar.gz 1e4ec3d63ad1df2d6b4405f6e4b967a3b2bd0c789dfb97093392a9ff1db643e1 VeraCrypt_1.19_Source.tar.gz.sig 6bd6623408694e7b1decea67fc64748e3ab66551c318702f00f508eb1a9b6e25 VeraCrypt_1.19_Source.zip.sig a443424585d54b72564f390454510c73a5704d3d50fca8613e4ef1d6b61ba3c9 VeraCrypt-Audit-Final-for-Public-Release.pdf 3b1c39a6ba2a00051fd3a88030e7443b1bf67eb8a005864942c70cf1038b5de4 VeraCrypt-DCS-EFI-LGPL_1.19_Source.zip fc47d4ceb6fb4f90b43cc5ae2c0acefebf9ea306b55e25823fa0bad32f64f949 VeraCrypt-DCS-EFI-LGPL_1.19_Source.zip.sig b209fd4a6168bbfde59507392a3d091974e16b1b0859d91bdb2d62eeeb162937 VeraCrypt Setup 1.19.exe.sig 6d83219228ab080608c4815daf77a57f60b4d0d503d1efcbdcfa9b59b54ba6d1 VeraCrypt User Guide.pdf 40126ace7399addff401eaf4da3bda1392501514c565c43c73bb81d08904a12a VeraCrypt User Guide.pdf.sig (A little script flipping PS1, for ease of copypasta, is handy in these situations.)
https://ostif.org/the-veracrypt-audit-results/ We should take into account, that almost all the critical vulnerabilities were found in the NEW implementation of encrypting the boot loader that supports UEFI (it was added a few months ago for the first time to support encryption for the new Bios type machines). It's still not mature at all.... so give it at least 6 more months to become stable. *The bottom line of the audit (except the UEFI):* It means that the core code/90% of the features in VeraCrypt are absolutely strong and great, including encryption of Legacy Bios machines and creating separated encrypted volumes.
participants (4)
-
grarpamp -
oshwm -
Zenaan Harkness -
Александр