Security Experts:

Google Develops OpenSSL Fork 'BoringSSL'

Google is developing its own version of OpenSSL, tentatively dubbed BoringSSL.

For years, Google has been building patches on OpenSSL for use in its products. But as Android, Chrome and other Google technologies have begun to need some subset of these patches, "things have grown very complex," blogged Google's Adam Langley, adding that while some of these patches have been accepted into the main OpenSSL repository, others have not.

"The effort involved in keeping all these patches (and there are more than 70 at the moment) straight across multiple code bases is getting to be too much," he blogged. "So we’re switching models to one where we import changes from OpenSSL rather than rebasing on top of them. The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too."

"There are no guarantees of API or ABI stability with this code: we are not aiming to replace OpenSSL as an open-source project," he added. "We will still be sending them bug fixes when we find them and we will be importing changes from upstream. Also, we will still be funding the Core Infrastructure Initiative and the OpenBSD Foundation."

Kyle Kennedy, CTO at STEALTHbits Technologies, said that he appreciated what Google is attempting to accomplish, but argued that the development of OpenSSL forks can present an even larger challenge.

"OpenSSL needs to stay as one code base with a community of independent and enterprise backed developers working as one to allow the code base to be inspected as one code base," he said. "I personally would rather see Google and the Core Infrastructure Initiative follow the spirit behind the open-source community and lend their expertise to cleaning up the issues with OpenSSL – make OpenSSL the real BoringSSL by fixing the original as opposed to creating yet another spin-off."

Meanwhile, Theo de Raadt - founder of the OpenBSD Project, which is supporting the development of another OpenSSL fork known as LibReSSL - expressed excitement about the news. LibReSSL was forked from OpenSSL in April, after the Heartbleed vulnerability became public knowledge.

"I suspect everyone working on LibReSSL is happy to hear the news about BoringSSL," he stated in a post on the OpenBSD mailing list. "Choice is good! Their priority is on safety, not on ABI compatibility.  Just like us.  Over time, I suspect Google's version will also become 'reduced API', since they require less legacy application support. That may give LibReSSL the opportunity to head in the same direction, if the applications are willing."

According to Langley, Google will be able to import changes from LibReSSL, and they will be welcome to take changes from BoringSSL as well.

"We have already relicensed some of our prior contributions to OpenSSL under an ISC license at their request and completely new code that we write will also be so licensed," he blogged.

view counter