Google is releasing its own independently developed fork of OpenSSL, the widely used cryptography library that came to international attention following the Heartbleed vulnerability that threatened hundreds of thousands of websites with catastrophic attacks.
The unveiling of BoringSSL, as the Google fork has been dubbed, means there will be three separate versions of OpenSSL, which is best known for implementing the secure socket layer and transport layer security protocols on an estimated 500,000 websites. Developers of the OpenBSD operating system took the wraps off LibreSSL a few weeks after the surfacing of Heartbleed. Google is taking pains to ensure BoringSSL won't unnecessarily compete or interfere with either of those independent projects. Among other things, the company will continue to back the Core Infrastructure Initiative, which is providing $100,000 in funding for two full-time OpenSSL developers so the organization can refurbish its badly aging code base.
Why Google should choose to go this route has been discussed on HackerNews.
Related Stories
It has finally happened. Bob Beck of The OpenBSD Foundation has just announced that the first release of LibreSSL portable is now available, and can be found in the LibreSSL directory of your favourite OpenBSD mirror.
libressl-2.0.0.tar.gz has been tested to build on various versions of Linux, Solaris, Mac OS X and FreeBSD.
This is intended to be an initial portable release of OpenBSD's libressl to allow the community to start using it and providing feedback, and has been done to address the issue of incorrect portable versions being attempted by third-parties. Support for additional platforms will be added as time and resources permit.
(Score: 5, Insightful) by Horse With Stripes on Sunday June 22 2014, @10:37AM
Do I want Google to have access to the SSL keys on my server? Um ... no.
Sorry Google. Many people already don't trust you. But trust you at this level? Um ... no.
(Score: 5, Interesting) by Leebert on Sunday June 22 2014, @11:14AM
Do you really think Google would be this stupid? Why on earth would you think that they would release code that could that would do such a thing?
(Score: 1, Insightful) by Anonymous Coward on Sunday June 22 2014, @11:20AM
But, but, Google is famous so they must be evil. The Internet told me so. I'd rather get my SSL code from some random unknown guy whose dev box is full of malware. That way I know I can trust it.
(Score: 4, Insightful) by Horse With Stripes on Sunday June 22 2014, @03:32PM
No, Google tracks anything and everything about you that they possibly can. That makes them evil; it has nothing to do with 'famous'. And Google always thinks it knows best, so keeping track of you SSL keys for you is a service, not a security issue.
Google touching my SSL keys? No thanks.
(Score: 2, Interesting) by Horse With Stripes on Sunday June 22 2014, @05:04PM
I don't think Google is stupid, but I do think that they think that they are smarter than everybody else. And I don't see anywhere in the article that Google plans on releasing the code for this.
(Score: 3, Insightful) by Leebert on Sunday June 22 2014, @06:37PM
The article says that they are releasing it under the ISC license, which would be a really weird thing to do if they weren't releasing the source. :)
So again, Google would have to be monumentally stupid to be swiping SSL keys in the background.
(Score: 4, Informative) by Angry Jesus on Sunday June 22 2014, @06:39PM
> I don't see anywhere in the article that Google plans on releasing the code for this.
If it were closed source that would have been newsworthy.
The fact that the article doesn't say anything should have been a clue that the fork is open source. [googlesource.com]
(Score: 3, Funny) by gallondr00nk on Sunday June 22 2014, @11:02AM
It also requires that you allow it to give your keys their own Google+ accounts.
Just kidding.
OpenSSL seems fairly broken, so any forks are welcome.
(Score: 3, Interesting) by Wootery on Sunday June 22 2014, @12:26PM
I'd prefer to see a drop-in replacement developed from scratch in something like Ada (i.e. with C bindings).
We can stop buffer overflows. It's not like safe languages are a crazy new idea. Neither is it the case that Ada is substantially slower than C.
(Score: 1) by art guerrilla on Sunday June 22 2014, @11:53AM
while i noticed, there is -what i think- is a glitch in the SN behavior...
on other sites, when i open several tabs for various stories, THEN proceed to log-in to one of the pages, all the other pages reflect that update and have me logged in, SN does not...
in fact, i am hard-pressed to think of any other site where that does *not* happen automagically...
just my observation to the SN gurus...
(thanks for the heavy lifting all the behind-the-scenes SN worker bees do...)
(Score: 1) by ticho on Sunday June 22 2014, @12:17PM
I am hard-pressed to think of any site which _does_ reload all pages for a site when you log in in one of them (nor would I want it to happen). Maybe it's a browser plugin you're using, or something?
(Score: 1) by art guerrilla on Monday June 23 2014, @11:23PM
techdirt, for one, amazon for another, and i know another one i frequent does it as well...
not a super-nerd, just running ghostery and adblock+ and something else, i forget...
frankly, simply a dumb-user who saw 'convenient' behavior on one website, and wondered why it wasn't the same here...
i realize there is a large hard-core nerd contingent who would carve their own electrons if they could, but i am not concerned enough to spend several person-years studying technical issues to protect the pictures of my dogs and such... hell, all the financial crap is on my wife's computer, and she is 100 times more reckless than i am in regards to 'safe-computing'...
(Score: 5, Insightful) by clone141166 on Sunday June 22 2014, @12:29PM
Press F5 :)
From my understanding the slashcode that SN runs on is quite old, it doesn't use new-fangled AJAX like most sites.
The down side to this is things don't automagically happen on every page.
The up side to this is things don't automagically happen on every page.
Some of us actually like being in control of our web browsers, as opposed to having them just do whatever the heck they feel like at the behest of some sh**ty javascript code. Just throwing the alternative point of view out there.
(Score: 4, Insightful) by bziman on Sunday June 22 2014, @02:42PM
Thank you, but I prefer pages on tabs do not change unless I interact with them directly. This ajax web 2.0 crap is why I bailed on Slashdot!
(Score: 2, Insightful) by Anonymous Coward on Sunday June 22 2014, @02:54PM
if you start commenting as anonymous coward, preview, and log in using another window, and you preview the AC comment again, you appear as logged in, right? (and then you can't post because of form key reuse). If so, the site (and the client) behaves as expected. I would not fill the site with ajax and javascript, just a couple css alternative styles are all people need. Sites and webapps that try to adhere to the REST philosophy tend to be easier to understand and code for.
(Score: 2) by egcagrac0 on Monday June 23 2014, @02:22PM
The best part of re-inventing the wheel is that you get to pick how many sides the new one has.
I understand why they'd want to re-invent the wheel, and why they'd want to choose a non-canonical number of sides for the new one. I also understand that a lot of other (non-Google) users would probably want the canonical number of sides on their wheels.
(Score: 2) by FatPhil on Saturday July 12 2014, @04:04PM
Not seen that before - would you be perturbed if I used it (with attribution, of course) as one of my .sigs?
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by egcagrac0 on Sunday July 13 2014, @04:11PM
Go for it. Best regards.