OpenSSL forked into LibreSSL

April 23, 2014 // 9:42 a.m.

Tags: #heartbleed #insecurity #libressl #openbsd #open-source #openssl #security #ssl #tls #vulnerability

The OpenBSD project has announced the inevitible outcome of its recent deep-dive into the OpenSSL source code: a full fork of the project, dubbed LibreSSL, to feature a significantly improved codebase.

The OpenSSL cryptographic library made unfortunate headlines earlier this month due to the Heartbleed vulnerability, a nasty bug caused by incautious coding that allowed an attacker to steal memory contents - including, but not limited to, usernames, passwords, and even the entire private key - from any server using the software. With an estimated two-thirds of all webservers using OpenSSL for encryption, that's a significant target base - and the attack, before it became known to the public, left no trace on the host machine.

OpenSSL is an open source project, meaning anyone can download, examine and modify the source code that drives it. In theory, fans of the open methodology claim, this leads to improved code quality and security - the 'many-eyes' theory. In practice, it appears, when an open source project reaches a certain size, individual contributors can become the sole controller of particular sub-sections - with the result that their code goes unchecked by their peers.

OpenBSD is, as the name suggests, an open-source port of the BSD operating system. Designed for maximum security, the project was hit by the Heartbleed bug and vowed to examine the OpenSSL source code more closely in the future. The result has been the exposure of numerous terrifying kludges and bugs in the code - which, it must be remembered, still drives two-thirds of the web - in what has been dubbed the OpenSSL Valhalla Rampage. Having found everything from 'temporary' compatibility code reaching back more than a decade to a kludge which uses the server's private key as entropy for the random number generator - potentially exposing the entire private key to any plug-in RNG used on the system, a major security hole - the OpenBSD researchers have reached a conclusion: OpenSSL can't be trusted.

The result: LibreSSL, a fork of OpenSSL which benefits from the changes made by the OpenBSD project. Announced on a particularly spartan website - 'donate now to stop the Comic Sans and Blink Tags,' its creators exhort visitors - the LibreSSL project will become the default cryptographic library for the OpenBSD 5.6 release. Initially, that will be the only supported operating ssytem; once the codebase has been cleaned of extant bugs and rewritten to improve maintainability and a source of funding secured, LibreSSL will be extended to additional operating systems.

Whether LibreSSL will improve security overall or simply divert resources that could be better used improving the cross-platform OpenSSL directly remains to be seen.