Google develops own 'boring' version of OpenSSL
A Google engineer wrote the project isn't designed to replace OpenSSL
By Jeremy Kirk | Published: 01:48, 23 June 2014
Google is developing its own version of OpenSSL that will be more appropriate for its own software products, which have been using the critical encryption component for years with customized patches.
The project, tentatively dubbed "BoringSSL," isn't designed to replace OpenSSL, wrote Adam Langley, a Google software engineer, on his personal blog. Google will contribute its changes to the OpenSSL open-source project and use bug fixes from that team, he wrote.
OpenSSL is widely used software code that encrypts content between a client and a server. OpenSSL's code is undergoing a close examination after a vulnerability nicknamed "Heartbleed" was disclosed on April 7 that could potentially allow hackers to steal data or compromise the encrypted connection.
Google has developed its own patches for OpenSSL, but those patches weren't always compatible with APIs (application programming interfaces) and ABIs (application binary interfaces), Langely wrote.
Products such as Android and Chrome have needed subsets of those patches, and now there are as many as 70 patches across multiple code bases which has become too complex, Langley wrote.
"So we're switching models to one where we import changes from OpenSSL rather than rebasing on top of them," he wrote. "The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too."
Google's version of OpenSSL still won't necessarily support the APIs and ABIs in OpenSSL, he wrote.
The company will also incorporate code changes from LibreSSL, a fork of OpenSSL started after the Heartbleed by some developers dissatisfied with OpenSSL. LibreSSL has undertaken a large project examining OpenSSL's code for flaws and making improvements.
Concern was raised following the Heartbleed flaw about the dependence of many operating systems and software products on OpenSSL and the relative little funding behind the project. Since then, major technology companies launched the Core Infrastructure Initiative, which is aimed at shoring up underfunded open-source projects and employing full-time developers.
Send news tips and comments to email@example.com. Follow me on Twitter: @jeremy_kirk