bit-tech.net

Google forks OpenSSL into BoringSSL

Google forks OpenSSL into BoringSSL

Google has opted to create its own OpenSSL variant dubbed BoringSSL, joining OpenBSD's LibreSSL in a vote of no confidence on the project's master branch.

Following the discovery of numerous security vulnerabilities in its code, the OpenSSL cryptographic library has been forked yet again - this time as Google's BoringSSL.

The open-source OpenSSL project was one that, for many, had flown under the radar for years. Typically used to encrypt and decrypt data sent over public networks like the internet, the first time many non-technical types heard of the package was when news broke of the Heartbleed vulnerability. The result of apparent poor coding practices within the project, Heartbleed allowed attackers to retrieve memory contents from servers running OpenSSL - including, it transpired, the private keys used to decrypt data sent to the server.

The flaw was serious enough to trigger the OpenBSD project to fork the OpenSSL source code into LibreSSL, pruning and refining it in order to improve security but in such a manner that means the new code is unlikely to work outside the project's own operating system. Now, Google is getting in on the act with the launch of BoringSSL - a fork of OpenSSL which aims to provide no nasty surprises.

The project isn't a direct response to Heartbleed and similar vulnerabilities, however. 'Earlier this year, before Apple had too many goto fails and GnuTLS had too few, before everyone learnt that TLS heart-beat messages were a thing and that some bugs are really old, I started a tidy up of the OpenSSL code that we use at Google,' explained Google engineer Adam Langley of the project. 'We have used a number of patches on top of OpenSSL for many years. Some of them have been accepted into the main OpenSSL repository, but many of them don’t mesh with OpenSSL’s guarantee of API and ABI stability and many of them are a little too experimental.

'[Now] we’re switching models to one where we import changes from OpenSSL rather than rebasing on top of them. The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too,' claimed Langley. 'There are no guarantees of API or ABI stability with this code: we are not aiming to replace OpenSSL as an open-source project. We will still be sending them bug fixes when we find them and we will be importing changes from upstream. We’ll also be more able to import changes from LibreSSL and they are welcome to take changes from us.'

Warning with tongue-in-cheek that the BoringSSL name is 'aspirational and not yet a promise,' Langley's announcement of BoringSSL and Google's adoption thereof is yet another blow for the OpenSSL project and its founders who are still working to repair its reputation following recent events.

5 Comments

Discuss in the forums Reply
Beasteh 23rd June 2014, 18:16 Quote
Mr Langley? As in home of the CIA? That's no coincidence!

Seriously though, OpenSSL suffers because it's an open source project with a paltry budget. It isn't funded by the beneficiaries of the code - huge web companies that should really be giving something back to the service they rely on. It's a real embarrassment that the likes of Yahoo couldn't spare a few dollars to help fund security audits of the OpenSSL code.

It's good to see at least one firm taking responsibility.
proxess 23rd June 2014, 22:19 Quote
I wouldn't consider completely forking the code taking responsibility. It just means they're just another company that didn't finance OpenSSL or audits of it's code either. Nor have other giants (and smaller companies) that are dependent on this technology. Actually, as stated in the post, most of them were barely aware of OpenSSL until heartbleed (or Apple's gotos). It just means they'd rather dish out on their own variant.
Gareth Halfacree 24th June 2014, 08:26 Quote
Quote:
Originally Posted by Beasteh
It's a real embarrassment that the likes of Yahoo couldn't spare a few dollars to help fund security audits of the OpenSSL code.
Actually, the Linux Foundation recently launched the Core Infrastructure Initiative which sees major-name companies putting money in a pot for the Foundation to dish out to important open-source projects - starting with OpenSSL, the Network Time Protocol and OpenSSH. You'd definitely recognise some of the names: Amazon, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware, Adobe, Bloomberg, HP, Huawei, salesforce.com... No Yahoo as far as I'm aware, though.
Quote:
Originally Posted by proxess
I wouldn't consider completely forking the code taking responsibility. It just means they're just another company that didn't finance OpenSSL or audits of it's code either. Nor have other giants (and smaller companies) that are dependent on this technology.
See above: Google is one of the companies putting real cash money into the Core Infrastructure Initiative specifically to boost OpenSSL's security and code quality. It's also promised to continue to do so even as it works on its own BoringSSL fork.
Quote:
Originally Posted by proxess
Actually, as stated in the post, most of them were barely aware of OpenSSL until heartbleed (or Apple's gotos). It just means they'd rather dish out on their own variant.
I would be very surprised if Google et al were "barely aware of OpenSSL;" the article is referring to end-users, none of whom had any reason to know the name of the library that provides cryptographic services to their operating system or application until headlines like "OPENSSL HEARTBLEED VULN WILL STEAL YOUR CHILDREN" hit the mainstream rags. Certainly, very few companies "dish out on their own variant;" building a secure cryptographic library is really hard. Look at OpenSSL: industry experts, open source, massive deployment, been running for years, and we're still finding gaping gert holes in the damn thing.
faugusztin 24th June 2014, 08:51 Quote
Quote:
Originally Posted by proxess
I wouldn't consider completely forking the code taking responsibility. It just means they're just another company that didn't finance OpenSSL or audits of it's code either.

Have you actually read the article ? BoringSSL was pretty much OpenSSL + Google patches, which has been rejected by OpenSSL. BoringSSL is now swithing to being a fork which includes Google patches, plus new commits from OpenSSL and LibreSSL unless there is a conflict.

It is pretty much a process change only at Google, for SSL library used in Google products.

Before :
  • Check out OpenSSL source code
  • Apply Google patches

Now :
  • Check out BoringSSL source code
  • Apply new OpenSSL or LibreOffice commits (patches)
Beasteh 24th June 2014, 19:09 Quote
Quote:
Originally Posted by Gareth Halfacree
Actually, the Linux Foundation recently launched the Core Infrastructure Initiative which sees major-name companies putting money in a pot for the Foundation to dish out to important open-source projects

The active phrase there being "recently" - as per my original post, it's about time these companies supported the services they rely on.

I don't doubt that donations of code and cash have taken place in the past, but it's better to see a consistent, concerted effort with proper funding (like an in-house product might get). Of course, it could all go horribly wrong if each firm tries to pull in separate directions...
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums