Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Google Develops OpenSSL Fork ‘BoringSSL’

Google is developing its own version of OpenSSL, tentatively dubbed BoringSSL.

Google is developing its own version of OpenSSL, tentatively dubbed BoringSSL.

For years, Google has been building patches on OpenSSL for use in its products. But as Android, Chrome and other Google technologies have begun to need some subset of these patches, “things have grown very complex,” blogged Google’s Adam Langley, adding that while some of these patches have been accepted into the main OpenSSL repository, others have not.

“The effort involved in keeping all these patches (and there are more than 70 at the moment) straight across multiple code bases is getting to be too much,” he blogged. “So we’re switching models to one where we import changes from OpenSSL rather than rebasing on top of them. The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too.”

“There are no guarantees of API or ABI stability with this code: we are not aiming to replace OpenSSL as an open-source project,” he added. “We will still be sending them bug fixes when we find them and we will be importing changes from upstream. Also, we will still be funding the Core Infrastructure Initiative and the OpenBSD Foundation.”

Kyle Kennedy, CTO at STEALTHbits Technologies, said that he appreciated what Google is attempting to accomplish, but argued that the development of OpenSSL forks can present an even larger challenge.

“OpenSSL needs to stay as one code base with a community of independent and enterprise backed developers working as one to allow the code base to be inspected as one code base,” he said. “I personally would rather see Google and the Core Infrastructure Initiative follow the spirit behind the open-source community and lend their expertise to cleaning up the issues with OpenSSL – make OpenSSL the real BoringSSL by fixing the original as opposed to creating yet another spin-off.”

Meanwhile, Theo de Raadt – founder of the OpenBSD Project, which is supporting the development of another OpenSSL fork known as LibReSSL – expressed excitement about the news. LibReSSL was forked from OpenSSL in April, after the Heartbleed vulnerability became public knowledge.

“I suspect everyone working on LibReSSL is happy to hear the news about BoringSSL,” he stated in a post on the OpenBSD mailing list. “Choice is good! Their priority is on safety, not on ABI compatibility.  Just like us.  Over time, I suspect Google’s version will also become ‘reduced API’, since they require less legacy application support. That may give LibReSSL the opportunity to head in the same direction, if the applications are willing.”

Advertisement. Scroll to continue reading.

According to Langley, Google will be able to import changes from LibReSSL, and they will be welcome to take changes from BoringSSL as well.

“We have already relicensed some of our prior contributions to OpenSSL under an ISC license at their request and completely new code that we write will also be so licensed,” he blogged.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Cloud security startup Upwind has appointed Rinki Sethi as Chief Security Officer.

SAP security firm SecurityBridge announced the appointment of Roman Schubiger as the company’s new CRO.

Cybersecurity training and simulations provider SimSpace has appointed Peter Lee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.