Connect with us

Hi, what are you looking for?



Google Develops OpenSSL Fork ‘BoringSSL’

Google is developing its own version of OpenSSL, tentatively dubbed BoringSSL.

Google is developing its own version of OpenSSL, tentatively dubbed BoringSSL.

For years, Google has been building patches on OpenSSL for use in its products. But as Android, Chrome and other Google technologies have begun to need some subset of these patches, “things have grown very complex,” blogged Google’s Adam Langley, adding that while some of these patches have been accepted into the main OpenSSL repository, others have not.

“The effort involved in keeping all these patches (and there are more than 70 at the moment) straight across multiple code bases is getting to be too much,” he blogged. “So we’re switching models to one where we import changes from OpenSSL rather than rebasing on top of them. The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too.”

“There are no guarantees of API or ABI stability with this code: we are not aiming to replace OpenSSL as an open-source project,” he added. “We will still be sending them bug fixes when we find them and we will be importing changes from upstream. Also, we will still be funding the Core Infrastructure Initiative and the OpenBSD Foundation.”

Kyle Kennedy, CTO at STEALTHbits Technologies, said that he appreciated what Google is attempting to accomplish, but argued that the development of OpenSSL forks can present an even larger challenge.

“OpenSSL needs to stay as one code base with a community of independent and enterprise backed developers working as one to allow the code base to be inspected as one code base,” he said. “I personally would rather see Google and the Core Infrastructure Initiative follow the spirit behind the open-source community and lend their expertise to cleaning up the issues with OpenSSL – make OpenSSL the real BoringSSL by fixing the original as opposed to creating yet another spin-off.”

Meanwhile, Theo de Raadt – founder of the OpenBSD Project, which is supporting the development of another OpenSSL fork known as LibReSSL – expressed excitement about the news. LibReSSL was forked from OpenSSL in April, after the Heartbleed vulnerability became public knowledge.

Advertisement. Scroll to continue reading.

“I suspect everyone working on LibReSSL is happy to hear the news about BoringSSL,” he stated in a post on the OpenBSD mailing list. “Choice is good! Their priority is on safety, not on ABI compatibility.  Just like us.  Over time, I suspect Google’s version will also become ‘reduced API’, since they require less legacy application support. That may give LibReSSL the opportunity to head in the same direction, if the applications are willing.”

According to Langley, Google will be able to import changes from LibReSSL, and they will be welcome to take changes from BoringSSL as well.

“We have already relicensed some of our prior contributions to OpenSSL under an ISC license at their request and completely new code that we write will also be so licensed,” he blogged.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.