Google develops a 'boring' version of OpenSSL
A Google engineer says project isn't designed to replace OpenSSL
IDG News Service - Google is developing its own version of OpenSSL that will be more appropriate for its own software products, which have been using the critical encryption component for years with customized patches.
The project, tentatively dubbed "BoringSSL," isn't designed to replace OpenSSL, wrote Adam Langley, a Google software engineer, on his personal blog. Google will contribute its changes to the OpenSSL open-source project and use bug fixes from that team, he wrote.
OpenSSL is widely used software code that encrypts content between a client and a server. OpenSSL's code is undergoing a close examination after a vulnerability nicknamed "Heartbleed" was disclosed on April 7 that could potentially allow hackers to steal data or compromise the encrypted connection.
Google has developed its own patches for OpenSSL, but those patches weren't always compatible with APIs (application programming interfaces) and ABIs (application binary interfaces), Langely wrote.
Products such as Android and Chrome have needed subsets of those patches, and now there are as many as 70 patches across multiple code bases which has become too complex, Langley wrote.
"So we're switching models to one where we import changes from OpenSSL rather than rebasing on top of them," he wrote. "The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too."
Google's version of OpenSSL still won't necessarily support the APIs and ABIs in OpenSSL, he wrote.
The company will also incorporate code changes from LibreSSL, a fork of OpenSSL started after the Heartbleed by some developers dissatisfied with OpenSSL. LibreSSL has undertaken a large project examining OpenSSL's code for flaws and making improvements.
Concern was raised following the Heartbleed flaw about the dependence of many operating systems and software products on OpenSSL and the relative little funding behind the project. Since then, major technology companies launched the Core Infrastructure Initiative, which is aimed at shoring up underfunded open-source projects and employing full-time developers.
Send news tips and comments to firstname.lastname@example.org. Follow me on Twitter: @jeremy_kirk
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- Top 3 Myths about Big Data Security : Debunking common misconceptions about big data security Big data represents massive business possibilities and competitive advantage for organizations that are able to harness and use that information. But how are...
- A More Predictable Way to Budget Software Costs Wavetronix enables creative collaboration while cost-effectively accessing all the latest tools with Adobe Creative Cloud for teams. For Wavetronix, collaboration was easy when...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope...
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface. All Data Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!