Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Saturday July 20 2019, @03:06PM   Printer-friendly
from the rusty-security dept.

Submitted via IRC for Bytram

A Rust-based TLS library outperformed OpenSSL in almost every category

A tiny and relatively unknown TLS library written in Rust, an up-and-coming programming language, outperformed the industry-standard OpenSSL in almost every major category.

The findings are the result of a recent four-part series of benchmarks [1, 2, 3, 4] carried out by Joseph Birr-Pixton, the developer behind the Rustls library.

The findings showed that Rustls was 10% faster when setting up and negotiating a new server connection, and between 20 and 40% faster when setting up a client connection.

But while handshake speeds for new TLS connections are important, most TLS traffic relies on resuming previously negotiated handshakes. Here, too, Rustls outperformed the aging OpenSSL, being between 10 and 20% in resuming a connection on the server-side, and being between 30 and 70% quicker to resume a client connection.

Furthermore, Rustls also fared better in sheer bulk performance -- or the speed at which data is transferred over the TLS connection. Birr-Pixton said Rustls could send data 15% faster than OpenSSL, and receive it 5% faster as well.

Last, but not least, the Rustls creator also said his library only used half of the memory required to run OpenSSL, a major advantage.

In the past, OpenSSL has been often criticized for its large memory footprint and the large number of security bugs found in its code. Because Rustls was coded in Rust, the issues with security flaws are largely addressed by the design of the Rust language itself, which was designed from the ground-up to avoid memory-related security bugs.

Based on the results of these benchmarks, Rustls appears to have also addressed the issue of performance, making it an ideal replacement for web services that still rely on the old OpenSSL.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Sunday July 21 2019, @04:13PM (1 child)

    by Anonymous Coward on Sunday July 21 2019, @04:13PM (#869651)

    I think your argument is that a new implementation of OpenSSL or similar is dangerous in *any* language, even C or C++. I agree. But that's not a specific argument against Rust.

    As for alpha and beta libraries - even the best C and C++ developers in the world make memory mistakes sometimes. So Rust libraries might be buggy, but it's not like the C/C++ world is rainbows and unicorns. It might be worth a shot.

  • (Score: 2) by The Mighty Buzzard on Monday July 22 2019, @11:00AM

    Oh, sure, it's worth doing. It's just bloody stupid to use the resulting library in a production environment if you care about security even a little bit. Decades of having people actively looking for your mistakes vs. weeks of them doing so makes a damned important difference. And that's without even considering that most Rust libraries lurve the CoC more than they lurve having the best contributors.

    --
    My rights don't end where your fear begins.