Menu
Google develops own 'boring' version of OpenSSL

Google develops own 'boring' version of OpenSSL

A Google engineer wrote the project isn't designed to replace OpenSSL

Google is developing its own version of OpenSSL that will be more appropriate for its own software products, which have been using the critical encryption component for years with customized patches.

The project, tentatively dubbed "BoringSSL," isn't designed to replace OpenSSL, wrote Adam Langley, a Google software engineer, on his personal blog. Google will contribute its changes to the OpenSSL open-source project and use bug fixes from that team, he wrote.

OpenSSL is widely used software code that encrypts content between a client and a server. OpenSSL's code is undergoing a close examination after a vulnerability nicknamed "Heartbleed" was disclosed on April 7 that could potentially allow hackers to steal data or compromise the encrypted connection.

Google has developed its own patches for OpenSSL, but those patches weren't always compatible with APIs (application programming interfaces) and ABIs (application binary interfaces), Langely wrote.

Products such as Android and Chrome have needed subsets of those patches, and now there are as many as 70 patches across multiple code bases which has become too complex, Langley wrote.

"So we're switching models to one where we import changes from OpenSSL rather than rebasing on top of them," he wrote. "The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too."

Google's version of OpenSSL still won't necessarily support the APIs and ABIs in OpenSSL, he wrote.

The company will also incorporate code changes from LibreSSL, a fork of OpenSSL started after the Heartbleed by some developers dissatisfied with OpenSSL. LibreSSL has undertaken a large project examining OpenSSL's code for flaws and making improvements.

Concern was raised following the Heartbleed flaw about the dependence of many operating systems and software products on OpenSSL and the relative little funding behind the project. Since then, major technology companies launched the Core Infrastructure Initiative, which is aimed at shoring up underfunded open-source projects and employing full-time developers.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Tags securityGooglesoftwaredata protectionencryption

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments