Google is developing its own version of OpenSSL, tentatively dubbed BoringSSL.
For years, Google has been building patches on OpenSSL for use in its products. But as Android, Chrome and other Google technologies have begun to need some subset of these patches, “things have grown very complex,” blogged Google’s Adam Langley, adding that while some of these patches have been accepted into the main OpenSSL repository, others have not.
“The effort involved in keeping all these patches (and there are more than 70 at the moment) straight across multiple code bases is getting to be too much,” he blogged. “So we’re switching models to one where we import changes from OpenSSL rather than rebasing on top of them. The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too.”
“There are no guarantees of API or ABI stability with this code: we are not aiming to replace OpenSSL as an open-source project,” he added. “We will still be sending them bug fixes when we find them and we will be importing changes from upstream. Also, we will still be funding the Core Infrastructure Initiative and the OpenBSD Foundation.”
Kyle Kennedy, CTO at STEALTHbits Technologies, said that he appreciated what Google is attempting to accomplish, but argued that the development of OpenSSL forks can present an even larger challenge.
“OpenSSL needs to stay as one code base with a community of independent and enterprise backed developers working as one to allow the code base to be inspected as one code base,” he said. “I personally would rather see Google and the Core Infrastructure Initiative follow the spirit behind the open-source community and lend their expertise to cleaning up the issues with OpenSSL – make OpenSSL the real BoringSSL by fixing the original as opposed to creating yet another spin-off.”
Meanwhile, Theo de Raadt – founder of the OpenBSD Project, which is supporting the development of another OpenSSL fork known as LibReSSL – expressed excitement about the news. LibReSSL was forked from OpenSSL in April, after the Heartbleed vulnerability became public knowledge.
“I suspect everyone working on LibReSSL is happy to hear the news about BoringSSL,” he stated in a post on the OpenBSD mailing list. “Choice is good! Their priority is on safety, not on ABI compatibility. Just like us. Over time, I suspect Google’s version will also become ‘reduced API’, since they require less legacy application support. That may give LibReSSL the opportunity to head in the same direction, if the applications are willing.”
According to Langley, Google will be able to import changes from LibReSSL, and they will be welcome to take changes from BoringSSL as well.
“We have already relicensed some of our prior contributions to OpenSSL under an ISC license at their request and completely new code that we write will also be so licensed,” he blogged.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- KeePass Update Patches Vulnerability Exposing Master Password
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Keep Aware Raises $2.4M to Eliminate Browser Blind Spots
- Google Workspace Gets Passkey Authentication
- Cybersecurity Startup Elba Raises €2.5 Million for Employee-Focused Product
- Zoom Expands Privacy Options for European Customers
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Apple Unveils Upcoming Privacy and Security Features
