BoringSSL Another Flavor Of OpenSSL
The open source encryption protocol, OpenSSL, which is used by several social networks, search engines, banks and other websites to enable secure connections while transmitting data, came to everybody's attention following the Heartbleed vulnerability, a critical bug in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server’s memory, potentially revealing users data, that the server did not intend to reveal.
Now, the biggest Internet giant Google is launching a new fork of OpenSSL, which they dubbed as BoringSSL, developed by its own independent work with the code.
"We have used a number of patches on top of OpenSSL for many years," Adam Langley, a cryptography engineer and Google employee, wrote in a blog post introducing BoringSSL. "Some
of them have been accepted into the main OpenSSL repository, but many
of them don't mesh with OpenSSL's guarantee of API and ABI stability and
many of them are a little too experimental."
So, from now on, the websites have three choices from three separate
versions of OpenSSL to implement the secure socket layer and transport
layer security protocols in order to enable secure connections while
transmitting data.
Till now, Google makes use of its modified version of OpenSSL
in its different products such as Chrome, Android, and various other
things, that has been substantially rewritten and audited for potential
security vulnerabilities.
But, now in an effort to integrate its code into a single and consistent
library and to handle its massive amount of in-house patches, Google is
releasing BoringSSL that can be easily distributed across many of its
independent projects.
"But we’ll also be more able to import changes from LibreSSL and they are welcome to take changes from us," said Langley. "We
have already relicensed some of our prior contributions to OpenSSL
under an ISC license at their request and completely new code that we
write will also be so licensed."
A few weeks after the terror of Heartbleed bug, the developers of
OpenBSD operating system took initiative and announced LibreSSL under
its new project Theo de Raadt. The OpenBSD project aims to provide a
more trustworthy platform.
Along with its own fork of OpenSSL, Google will continue to contribute
the OpenBSD foundation and the Core Infrastructure Initiative, which is
at least $100,000 a year for at least three years in funding to OpenSSL
developers so that they can improve OpenSSL’s badly written code base.
According to the blog post, BoringSSL is developed in such a way
that strips out a number of Application Programing Interfaces (APIs) and
Application Binary Interfaces (ABIs), and will change a much of its
current code so that it's more readable and easier to maintain.
"There are no guarantees of API or ABI stability with this code: we are not aiming to replace OpenSSL as an open-source project," he wrote. "We
will still be sending them bug fixes when we find them and we will be
importing changes from upstream. Also, we will still be funding the Core
Infrastructure Initiative and the OpenBSD Foundation."
This is really a good initiative taken by Google to build a strong
community by putting up an enough of its initial efforts to get the ball
rolling.
"We know you all want this tomorrow," the project's homepage states. "We
are working as fast as we can but our primary focus is good software
that we trust to run ourselves. We don't want to break your heart."
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.