Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

ring

macrumors regular
Original poster
Nov 17, 2011
156
0
If the website providing a download isn't secure, doesn't that mean the ISP can cache an evil FBI version of truecrypt? With the use of subpoenaed proxy caching?

How do you know you are getting a real version? Couldn't some corrupt powerful agency force your ISP to cache an evil version, or force them to intercept anybody's legitimate traffic, and replace it with a bad version (with a backdoor installed)? I use truecrypt for all my personal backups, financial documents, and school documents, and I don't want an insecure version "protecting" them.

- Truecrypt doesn't use SSL, or any web encryption. How can we know that the download we are receiving doesn't have any backdoors (RIAA backdoors, MPAA backdoors, third-world-government backdoors, etc?)

- They offer a .sig PGP verification, but I don't know how to use this...

Am I missing something?

 
Last edited:
- Truecrypt doesn't use SSL, or any web encryption. How can we know that the download we are receiving doesn't have any backdoors (RIAA backdoors, MPAA backdoors, government backdoors, etc?)

You don't, and honestly it doesn't matter a single bit. If the FBI or RIAA wanted information "protected" by your TrueCrypt install, they would go and get it from another source (like your bank or ISP).
 
You don't, and honestly it doesn't matter a single bit. If the FBI or RIAA wanted information "protected" by your TrueCrypt install, they would go and get it from another source (like your bank or ISP).

Well, If you download the necessary files from their website, you can do a PGP/GPG verification of the .DMG download (using the .sig file, and the truecrypt team's ASC public key)


Is this correct?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.