Menu
Google develops own 'boring' version of OpenSSL

Google develops own 'boring' version of OpenSSL

A Google engineer wrote the project isn't designed to replace OpenSSL

Google is developing its own version of OpenSSL that will be more appropriate for its own software products, which have been using the critical encryption component for years with customized patches.

The project, tentatively dubbed "BoringSSL," isn't designed to replace OpenSSL, wrote Adam Langley, a Google software engineer, on his personal blog. Google will contribute its changes to the OpenSSL open-source project and use bug fixes from that team, he wrote.

OpenSSL is widely used software code that encrypts content between a client and a server. OpenSSL's code is undergoing a close examination after a vulnerability nicknamed "Heartbleed" was disclosed on April 7 that could potentially allow hackers to steal data or compromise the encrypted connection.

Google has developed its own patches for OpenSSL, but those patches weren't always compatible with APIs (application programming interfaces) and ABIs (application binary interfaces), Langely wrote.

Products such as Android and Chrome have needed subsets of those patches, and now there are as many as 70 patches across multiple code bases which has become too complex, Langley wrote.

"So we're switching models to one where we import changes from OpenSSL rather than rebasing on top of them," he wrote. "The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too."

Google's version of OpenSSL still won't necessarily support the APIs and ABIs in OpenSSL, he wrote.

The company will also incorporate code changes from LibreSSL, a fork of OpenSSL started after the Heartbleed by some developers dissatisfied with OpenSSL. LibreSSL has undertaken a large project examining OpenSSL's code for flaws and making improvements.

Concern was raised following the Heartbleed flaw about the dependence of many operating systems and software products on OpenSSL and the relative little funding behind the project. Since then, major technology companies launched the Core Infrastructure Initiative, which is aimed at shoring up underfunded open-source projects and employing full-time developers.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Googlesecuritysoftwareencryptiondata protection

Slideshows

Meet the leading HP partners in New Zealand...

Meet the leading HP partners in New Zealand...

HP has recognised its top performing partners in New Zealand at the second annual 2016 HP Partner Awards, held at a glittering bash in Auckland. The HP Partner Awards recognises and celebrates excellence, growth, consistency and engagement of its top partners. This year also saw the addition of several new categories, resulting in 11 companies winning across 11 award categories.

Meet the leading HP partners in New Zealand...
Channel comes together as Ingram Micro Showcase hits Auckland

Channel comes together as Ingram Micro Showcase hits Auckland

Ingram Micro outlined its core focuses for 2017 at Showcase in Auckland, bringing together the channel for a day of engaging keynotes, compelling breakout sessions and new technologies.

Channel comes together as Ingram Micro Showcase hits Auckland
Show Comments