Saturday, June 21, 2014

BoringSSL Another Flavor Of OpenSSL

The open source encryption protocol, OpenSSL, which is used by several social networks, search engines, banks and other websites to enable secure connections while transmitting data, came to everybody's attention following the Heartbleed vulnerability, a critical bug in the OpenSSL's implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server’s memory, potentially revealing users data, that the server did not intend to reveal.
Now, the biggest Internet giant Google is launching a new fork of OpenSSL, which they dubbed as BoringSSL, developed by its own independent work with the code.
"We have used a number of patches on top of OpenSSL for many years," Adam Langley, a cryptography engineer and Google employee, wrote in a blog post introducing BoringSSL. "Some of them have been accepted into the main OpenSSL repository, but many of them don't mesh with OpenSSL's guarantee of API and ABI stability and many of them are a little too experimental."
So, from now on, the websites have three choices from three separate versions of OpenSSL to implement the secure socket layer and transport layer security protocols in order to enable secure connections while transmitting data.
Till now, Google makes use of its modified version of OpenSSL in its different products such as Chrome, Android, and various other things, that has been substantially rewritten and audited for potential security vulnerabilities.

But, now in an effort to integrate its code into a single and consistent library and to handle its massive amount of in-house patches, Google is releasing BoringSSL that can be easily distributed across many of its independent projects.
"But we’ll also be more able to import changes from LibreSSL and they are welcome to take changes from us," said Langley. "We have already relicensed some of our prior contributions to OpenSSL under an ISC license at their request and completely new code that we write will also be so licensed."
A few weeks after the terror of Heartbleed bug, the developers of OpenBSD operating system took initiative and announced LibreSSL under its new project Theo de Raadt. The OpenBSD project aims to provide a more trustworthy platform.
Along with its own fork of OpenSSL, Google will continue to contribute the OpenBSD foundation and the Core Infrastructure Initiative, which is at least $100,000 a year for at least three years in funding to OpenSSL developers so that they can improve OpenSSL’s badly written code base.
According to the blog post, BoringSSL is developed in such a way that strips out a number of Application Programing Interfaces (APIs) and Application Binary Interfaces (ABIs), and will change a much of its current code so that it's more readable and easier to maintain.
"There are no guarantees of API or ABI stability with this code: we are not aiming to replace OpenSSL as an open-source project," he wrote. "We will still be sending them bug fixes when we find them and we will be importing changes from upstream. Also, we will still be funding the Core Infrastructure Initiative and the OpenBSD Foundation."
This is really a good initiative taken by Google to build a strong community by putting up an enough of its initial efforts to get the ball rolling.
"We know you all want this tomorrow," the project's homepage states. "We are working as fast as we can but our primary focus is good software that we trust to run ourselves. We don't want to break your heart."

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.