Google Forks OpenSSL, Announces BoringSSL

An anonymous reader writes Two months after OpenBSD's LibReSSL was announced, Adam Langley introduces Google's own fork of OpenSSL, called BoringSSL. "[As] Android, Chrome and other products have started to need some subset of these [OpenSSL] patches, things have grown very complex. The effort involved in keeping all these patches (and there are more than 70 at the moment) straight across multiple code bases is getting to be too much. So we're switching models to one where we import changes from OpenSSL rather than rebasing on top of them. The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too." First reactions are generally positive. Theo de Raadt comments, "Choice is good!!."

Yaaaay!

Just what I needed this Saturday, the announcement of yet another implementation of SSL by people I do not to trust

oh joy, oh rapture, etc. etc. etc.

Re:Yaaaay!

[TheGratefulNet]

right. google IS the premier spy company. they want ALL your data.

and so, we are supposed to trust google on things about SECURITY and where user TRUST is involved?

scuze me??

Re:Yaaaay!

[grub]

Google SSL... Now with a side channel for ads.

Re:Yaaaay!

[Megane]

Yes. Because they don't want anyone else to have that data that they have gone to such effort to collect.

Or at least not without paying for it.

Re:Yaaaay!

[Opportunist]

I prefer to eat capitalists.

Re:Yaaaay!

[danomac]

What do you do about the aftertaste afterwards?

Re:Yaaaay!

[armanox]

Vodka, comrade

Re:Yaaaay!

[swillden]

Yes. Because they don't want anyone else to have that data that they have gone to such effort to collect.

Or at least not without paying for it.

FYI, Google does not sell user data.

Re:Yaaaay!

[Zeek40]

You expect to be billed for it. With interest.

Re:Yaaaay!

[martin-boundary]

If they end up having a monopoly on the information, they can just sell it to others after they've collected it. So end effect is, lots of people have your data, but Google gets to profit from it TWICE. Way to go, knucklehead. Once the fox is allowed into the henhouse, it's game over. The only winning move is to kill the fox.

Re:Yaaaay!

[spectrumlogic]

Isn't is about time we acknowledge the corporate cleansing ritual of open source participation also contributes to the gentrification of peer communities...and it might be a bit more complex than simply an unintended consequence? The traditional conflict set between open source and corporate collaboratives persist with the possible driver that open source is now broadly recognized as an effective competitive method. As a more or less direct result, monetized communities like OpenSSL will be presented with trade-offs...similar to those discussed in this thread...from their new overlords. Unfortunately, acceptance of such trade-offs may also be viewed as a function of timing whose eventual destination can be plotted against mission imperatives whose purpose is to re-introduce the persistent conflict set from a position of power...presumably with a different outcome. The bottom line is that it is unlikely gentrified open source projects will be easy to differentiate from thier corporate counterparts...with the exception that the peer community takes much of the risk out of development projects...which non-coincidentally support proprietary products.

Re:Yaaaay!

[Opportunist]

Who said I'll pay?

Re:Yaaaay!

[Zeek40]

The debtor's prisons that we've started running. Because we've reverted a medieval mentality.

Re:Yaaaay!

[Opportunist]

Considering how that eventually ended, I'd start watching over my neck if I was part of the modern aristocracy.

It might be missing suddenly.

Choice is good

[manu0601]

Choice is good, but I am not sure whether mess is good too. How much time before the OpenSSL forks get incompatibles API?

Re:Choice is good

[neoform]

I'd assume once a clear winner is chosen as to which is better...

I don't see the open source SSL library 'market' being the next browser war where incompatibility makes one product win over another...

How will they address the attitude problem?

A huge part of the problem with OpenSSL is the attitude that anyone but the "Anointed Few" are discouraged from getting involved with security research or the development of cryptographic software.

I know we're all familiar with the common saying, "Never roll your own crypto!" It's this attitude that drives good people away from even just analysing existing crypto code. Nobody wants to feel the unrelenting wrath of the security community toward outsiders, especially if you happen to find a flaw with something they created.

How will Google avoid this aspect of the problem? Fixing the software bugs are one thing, but the bugs within the community itself are probably far harder to fix.

Re:How will they address the attitude problem?

[colfer]

Maybe by assigning people to the project who have not chosen security as a career field. On the Mozilla commits I used to follow, the personalities in the security arena were a different kettle of fish from the other developers. They had to maintain FIPS compliance, so were conservative about changes, but it was more than that. Not to mention, there's a possibility of workers with ulterior motives. All the more reason to develop a wider community than just self-selected specialists.

The billion dollar companies can afford it, and should have a long time ago.

Re:How will they address the attitude problem?

. They had to maintain FIPS compliance, so were conservative about changes

IIRC OpenSSL also had to maintain FIPS compliance, it was one of the excuses used to claim why the very limited manpower wasn't used to improve actual security.

Re:How will they address the attitude problem?

Don be ridiculous. Nobody is preventing you from reading the source code of FOSS crypto libraries. If you somehow manage to find a flaw and explain how it is a flaw (it isn't always obvious), there won't be an "unrelenting wrath of the security community toward outsiders" against you.

If you want to use libraries written by amateurs that is your problem. That makes as much sense as getting a random person to fix a complex problem in your car because you think mechanics are hostile toward people who have no idea what they're babbling about.

People love to rant on how OpenSSL failed with heartbleed, how all communities they're not part of are evil. But when the time comes to do the work, for free (go look how many millions OpenSSL doesn't make), it's only those with an "attitude problem" who get things done.
Here's an idea: create your own crypto library and run it with your own rules. You can even fork an existing project.

Re:How will they address the attitude problem?

[Hognoxious]

How will Google avoid this aspect of the problem?

By putting such a horrible UI on it that nobody uses it. And then dropping it in about 6 months.

Re:What a name!

[ArcadeMan]

I was about to write a witty reply to your comment, however the result would not have been interesting, tedious to read, dull, monotonous, repetitive, unrelieved, unvaried, unimaginative, uneventful, characterless, featureless, colorless, lifeless, insipid, uninteresting, unexciting, uninspiring, unstimulating, uninvolving, unreadable, unwatchable, jejune, flat, bland, dry, stale, tired, banal, lackluster, stodgy, vapid, monochrome, dreary, humdrum, mundane, mind-numbing, wearisome, tiring, tiresome, irksome, trying, frustrating, informaldeadly, ho-hum, dullsville, dull as dishwater, plain-vanilla and as boring as a one-man play.

Worrysome

[Virtucon]

Google forking OpenSSL into their own brand of NSA friendly, privacy snooping SSL. Why not just help the OpenSSL folks strengthen an already great product and assist in regression testing and validation as well? No grow your own and fragment the community you say?

Re:Worrysome

[drinkypoo]

Diversity is good, especially if they wind up diverging and actually being diverse. Not all implementations wind up being vulnerable to the same attacks, except when there are weaknesses inherent to the protocol. Even then a diverse... crap, I can't think of a non-buzzword to use here, landscape, ecosystem, argh. Sorry. Anyway, where was I? More variants means more approaches are likely to be attempted to solving the same problem, hopefully the best one wins and we get the best approach out of several options instead of whatever the single vendor comes up with.

Re:Worrysome

[Virtucon]

I understand that but in the case of it being Google who has a tendency not to make their technology, like Android, forkable. It's a one way street with them and I wouldn't trust any security implementation blessed by them. If it were Red Hat or even Microsoft I'd trust it more.

Re:Worrysome

[drinkypoo]

It's a one way street with them and I wouldn't trust any security implementation blessed by them

Good! That should limit uptake, and encourage still more alternatives.

Re:Worrysome

[Fnord666]

Diversity is good, especially if they wind up diverging and actually being diverse. Not all implementations wind up being vulnerable to the same attacks, except when there are weaknesses inherent to the protocol.

Just be sure that as a developer you write an abstraction layer between the application and the library so that when the interfaces diverge too much you have a single class to rewrite. Diversity in implementations is a good thing. Diversity in the interfaces can be a pain in the butt.

Re:Worrysome

[NotBorg]

Why not just help the OpenSSL folks strengthen an already great product

Citation needed.

Re:Worrysome

[drinkypoo]

There are two kinds of people in this world.

Oh no! We need more kinds of people!

Re:Worrysome

[strikethree]

OpenSSL is the swiss army knife of encryption technologies.

It can encrypt data with whatever cipher floats your boat. It can do hashing with whatever algorithm floats your boat. It can do SSL negotiations, it can examine, manipulate, and create X.509 certificates and containers like PKCS etc. Hell, it has all of the tools necessary to build an entire PKI up to and including creating Root Certificate Authorities, managing Certificate Revocation Lists, etc.

There may be vulnerabilities in it, but Oh My God can it do a whole hell of a lot. OpenSSL is up there with the Linux Kernel and GCC for usefulness and importance. As a security guy and as a privacy freak, I have been using OpenSSL code since before it was called OpenSSL. It was SSLeay prior to being OpenSSL.

That is a personal citation, but the facts are irrefutable.

Re:Worrysome

[NotBorg]

Because only positive facts are relevant?

Re: Worrysome

[strikethree]

Because negative facts dominate?

Re: Worrysome

[NotBorg]

Positive: The device won't cut off your hands.
Negative: The device will cut off your head.

Maybe it's not so bad?
Positive: It won't cut off your head.
Negative: It will cut off your hands.

Still no?
Positive: It won't cut off your head, your kids are entertained and happy because...
Negative: For about 20% of uses shocks the shit outta you.

Still not enough? Ok
Positive: This device is great, doesn't chop off your head or hands and it doesn't shock you.
Negative: After about 3 months of heavy usage a small bit of plastic will break rendering the device inoperable. However it's easy to fix and you're a do-it-yourself guy. $1 at a local hardware store and it's good as new and will last you for many years to come.

Perhaps it's best to look at all the facts rather than just the positive ones.

Re:Choice is NOT ALWAYS good

[colfer]

BoringSSL is a great name and directly addresses what got OpenSSL into trouble most recently, implementing a new protocol parameter based on a student's idea for a degree thesis. Innovation for innovation's sake, that was. Hurriedly applied for some reason.

And it's not something a website would "use," if you mean a high level protocol akin to "https." It's a library to implement common standards.

Re:How does this help?

[bmajik]

Bugs weren't missed in mainline openSSL. Bugs were logged, sat around for years, and didn't get fixed.

The project management and software engineering practices for openSSL were/are simply not acceptable.

The code is salvageable. The people and processes that allowed the code to get that way are not.

"This code under new management"

"Can't trust Google cuz they're NSA buds" = silly

[cyrus0101]

Google makes a lot of money on your data. They mine the crap out of your email. Their CEO has said privacy online is silly since if you've done nothing wrong you have nothing to hide. Summed up: they're indifferent to your sense of privacy. But trust Google to protect it's own interests. It wants to control access to this data. They'll be happy to comply with government requests for data, but on their own terms, and not by willfully subverting the security itself and leaving the door wide open. Being the doorkeeper makes them powerful. Being a doormat is not in their interest.

Re:Choice is NOT ALWAYS good

[NotInHere]

Compare email (you can choose your provider, but regardless, you can email anyone) vs. social networking (if you choose Facebook and your friend is the one person on Google+, you're out of luck)

That's one of the reasons why I have email, jabber, and sms (and webrtc), but no social network.

It is hip to be square

[ctime]

For those having a hard time understanding the naming convention,

Boring: Not flashy, not exciting, not experimental, not sexy. Performs as expected.

In other words, exactly how I want my security libraries, my databases, and the other critical infrastructure that runs the planet to be described as. Boring is good. A choice between boring Plain Jane and Simple Sally? Even better. Thank you.

Re:It is hip to be square

[owlstead]

Yes, but that's not what this seems to be about:

We have used a number of patches on top of OpenSSL for many years. Some of them have been accepted into the main OpenSSL repository, but many of them don’t mesh with OpenSSL’s guarantee of API and ABI stability and many of them are a little too experimental.

For something that includes experimental patches, *boring* would be an extremely stupid part of the name.

Re:It is hip to be square

[Opportunist]

And if they called it snoozeSSL, the name doesn't matter. A name is a designation that should enable us to distinguish it from something of a similar kind, preferably it should be unique to avoid confusion. Since human beings are better at keeping names than numbers (usually, I'm not), we tend to label things with names.

The point is, though, that this name means jack. Whether it is called BoringSSL or SuperspecialawesomeSSL doesn't matter. It is a name. Nothing else. Everything else is just the usual name calling bullshit along the lines of sunshine units and differently abled.

What remains is that it is done by the company whose core business is data collection and selling it to the highest bidder.

Re:It is hip to be square

[Jiro]

And if they called it snoozeSSL, the name doesn't matter. A name is a designation that should enable us to distinguish it from something of a similar kind...

The point is, though, that this name means jack

So *you're* the guy who named GIMP..

Names actually do matter. Think of a name as a type of user interface, and a bad name as an ugly user interface.

For that matter, think of a name as a way to deal with people, and a poorly named project as showing geekish lack of social skills. Saying "please" serves no function other than making people feel better. It doesn't mean anything more than the name. But that still means a lot, because we're human beings, and doing things with no technological effect is part of how we deal with other human beings.

Re:It is hip to be square

[tepples]

Think of a name as a type of user interface, and a bad name as an ugly user interface.

So how would you redesign this aspect of the user interface of, say, the GNU Image Manipulation Program?

Re:It is hip to be square

[discord5]

So how would you redesign this aspect of the user interface of, say, the GNU Image Manipulation Program?

Please, let's not mention Gimp and UI in the same sentence unless you're looking for an internet fight.

Re:It is hip to be square

[lannocc]

GIMP's UI is OK, but it really requires a hardware graphics tablet to be used properly.

Re:It is hip to be square

[LookIntoTheFuture]

Gimp wars! I've gone back in time!

Re:It is hip to be square

[Electricity+Likes+Me]

GNU Image Editor (GIE)

GNU Raster Editing And Touchup (GREAT)

GNU Image Manipulator (GIM)

The last one is the one I'd go with. Simple and straight forward - drop the P, and you lose the weird sexual double entendre while gaining a nice verbage: "that image is a bit big. take it to the gim" "run it through the gim" etc.

OSS seriously needs to be mindful of these things. There's some remote desk manager called "gigolo". Bravo to whoever named that - I can absolutely never install it on my kid's computers.

Re:It is hip to be square

This. When will (some) programmers learn that humans have an API too, and that they're using it wrong?

Re:What a name!

they call it BoringSSL because it contains a backdoor tunneling protocol.

Re:What a name!

[swillden]

First reactions are generally positive. Theo de Raadt comments, "Choice is good!!."

The name "BoringSSL."

I am finding extreme difficulty in liking this name choice. What was Google thinking? Am I alone?

It's not "What was Google thinking?", it's "What was Adam Langley thinking?". As for what he was thinking, it's pretty simple: Fundamental security components like SSL/TLS should be very, very boring. They're not a place for innovation and experimentation, they're not a place for clever code that demonstrates the author's virtuosity (assuming there is any such place, outside of Obfuscated C contests). They're not a place for exploration of how the C preprocessor can be used to automatically generate much of the codebase (which is something that OpenSSL has done). They're where you want very simple, straightforward, boring implementations of industry best practice algorithms and protocols.

When it comes to security, boring is good.

As Langley said in his blog post, the name is aspirational. But it is his goal, to produce a security library which is completely boring. And it's a good thing.

Re:How does this help?

[owlstead]

So where is the heartbleed bug report that was ignored?

Re:How does this help?

[jones_supa]

OpenSSL Gets Patch for 4-Year-Old Flaw

That one had a public CVE sitting for 4 years while nobody took the responsibility to fix it.

Certify it

[sinij]

Without FIPS certification system engineers won't be able to include BoringSSL in US-government facing applications, since doing so will disqualify them from procurement lists. Since US gov't is largest consumer of cryptographic products in the North American market, BoringSSL must certify or stay irrelevant.

Re:Certify it

[rubycodez]

wrong. FIPS certifcation has just been proven to be meaningless, and in fact the reason openssl was such dung. Most FIPS certfied systems have multiple known vulnerabilities now.

Instead, those with a brain will chose the superior alternative being developed, and those in government will have to follow leadership and make a better standard.

Re:Certify it

[swillden]

Without FIPS certification system engineers won't be able to include BoringSSL in US-government facing applications, since doing so will disqualify them from procurement lists. Since US gov't is largest consumer of cryptographic products in the North American market, BoringSSL must certify or stay irrelevant.

Right, because Google is irrelevant.

Re:Certify it

And if you do have a FIPS-certified cryptographic system, thanks to the NSA's shenanigans, the rest of the world now views it with disdain and suspicion, so forget about selling anything to anyone who ISN'T a US government agency.

They can make their own damn crypto, or follow the lead of independent cryptographers leading independent research. Appeasing governments is off the menu.

Re:Certify it

[bill_mcgonigle]

US gov't is largest consumer of cryptographic products in the North American market

This doesn't make any sense. There are more Android phones than government employees, for instance (and thank goodness).

Vis-a-vis LibreSSL - screw FIPS, Dual EC DRBG, and weak NSA coefficients - let the feds use OpenSSL if they want to.

Re:Certify it

[Electricity+Likes+Me]

Without FIPS certification system engineers won't be able to include BoringSSL in US-government facing applications, since doing so will disqualify them from procurement lists. Since US gov't is largest consumer of cryptographic products in the North American market, BoringSSL must certify or stay irrelevant.

Right, because Google is irrelevant.

It will be if it can't sell products to the US government.

Re:Certify it

[swillden]

Without FIPS certification system engineers won't be able to include BoringSSL in US-government facing applications, since doing so will disqualify them from procurement lists. Since US gov't is largest consumer of cryptographic products in the North American market, BoringSSL must certify or stay irrelevant.

Right, because Google is irrelevant.

It will be if it can't sell products to the US government.

What products does Google sell to the US government? And, in general, it's not like the government is the only customer in the world.

Re:Certify it

[swillden]

What products does Google sell to the US government?

You.

A) That's not true. Do you have a citation?

B) Even if it were, it wouldn't be relevant to this thread, in which the claim is that not making BoringSSL FIPS-compliant will somehow make it irrelevant because it would impact Google's ability to sell products to the government. If Google did sell information to the government, the lack of FIPS certification on BoringSSL clearly wouldn't be an obstacle.

Re:What a name!

All I say is OUCH!

Look at your own code

Look at the code you wrote yourself 10-20 years ago.

The simple boring code you still understand and still can compile and use today.

Now look at the code where you put in every trick in the book and then some. Can you understand? Does it compile today? Does it even have a useful function to use today? Is it bug free after all this time?

Unless you did a good job documenting it I am betting there is a no to one of those questions.

Re:What a name!

[Qzukk]

To put it bluntly, heartbleed was exciting and in security, exciting is bad.

Re:"Can't trust Google cuz they're NSA buds" = sil

[sasparillascott]

Actually this isn't silly. Intel has compromised CPU instruction set due to NSA influence (whether that was via a secret order or just because they bend over when asked is unknown). Just look at what this Google engineer said:

https://plus.google.com/+Theod...

So given the option of getting a back door inserted in the SSL protocol used by a huge chunk of the world - the NSA will try to corrupt it.

If served with a secret order, from a secret court on the desire of the NSA for "national security" reasons with orders to, of course keep it secret, Google would have no choice but to comply. The fact that it'll be open source would allow for the possibility of it getting caught (but only the possibility), and I doubt that would keep the NSA from trying to corrupt all 3 SSL protocols as they are being reworked currently. JMHO...

BorenSSL

[bAdministrator]

Its name was, in fact, Boren.

Re:Not a general use library

[Kremmy]

That's a reading comprehension issue on the user end.

Re:"Can't trust Google cuz they're NSA buds" = sil

[cbhacking]

There's no guarantee that Intel was actually compromised, though they would have been an obvious target. More likely that effort was aimed at dedicated hardware RNGs, which have been a thing since well before RDRAND, but the final point of the post (about not trusting RNGs you can't audit) has obvious merit.

Also, while I think I know what you mean, "all 3 SSL protocols" makes no sense. There are currently four SSL/TLS protocols in use (SSL3, TLS1, TLS1.1, TLS1.2) plus a deprecated one (SSL2, which is broken; SSL1 was never published AFAIK). If you meant SSL implementations, there are at least seven: the three OpenSSL-derived ones (OpenSSL, LibReSSL, BoringSSL), BouncyCastle (which is technically two implementations, Java and C#, but they are supposed to be equivalent), GnuTLS, Mozilla's one (may be client-only?), Apple's one (I think does both client and server but could be wrong), and Microsoft's SChannel (client and server).

Re:What a name!

[marcello_dl]

> they call it BoringSSL because it contains a backdoor tunneling protocol.

In fact, I was thinking: "Boring, my ass", but I didn't know exactly why.

Re: Choice is NOT ALWAYS good

[aojensen]

If I recall correctly, OpenSocial tried to solve exactly that problem?

Re: Choice is NOT ALWAYS good

[aojensen]

If I recall correctly, OpenSocial tried to solve exactly that problem? http://opensocial.org/

Cannot Wait

[ChadSmith4920]

For SameOldSSL and SSLYourWAY

Re:What a name!

[AchilleTalon]

NSA decided to follow Google's path and annouced a fork of OpenSSL, they will call the new fork SuckingSSL. First reactions are generally positive.

Re:"Can't trust Google cuz they're NSA buds" = sil

[hattable]

They'll be happy to comply with government requests for data, but on their own terms, and not by willfully subverting the security itself and leaving the door wide open.

I think people forget that regular ol' poor programming may leave things open--incompetence over malice.

Re:How does this help?

[Electricity+Likes+Me]

That description isn't very good for the bug: a specially crafted buffer overwrites Alice's data - what? I presume they mean that Bob could takeover Alice's connection, but the description isn't very good.

Moreover, it very much ignores an important issue: just because a bug is spotted, doesn't mean the fix is trivial. In security software the fix might very well open up a different vulnerability.

Debian's SSH flaw was exactly something like this - inappropriately commented weird looking code was removed to "improve" things. And it's exactly that sort of problem which I suspect LibreSSL is going run straight into at some point as well.

Re: What a name!

[Terrasque]

You mean FreedomSSL?

And response from security people have either been very positive or they weren't available for comment right now.

because Google doesn't need two major limitations

[raymorris]

> Why not just help the OpenSSL folks strengthen an already great product and assist in regression testing and validation as well?

OpenSSL can't do alot of things they'd like to do because it would break binary compatibility with the old ABI. There are also a number of improvements that would change the API. OpenSSL has committed to sticking with not only the old API, but the old ABI, so you an old program can use the new openssl without even recompiling.

Google isn't restricted by those two things because they recompile Android daily or weekly anyway. Therefore, there's no reason they wouldn't make improvements that change the binary interface. They'd be forgoing significant improvements just for the sake of us the same bad abi that someone designed many years ago, which has no benefit in their products.

They can still send over improvements that they devfolks In some cases, it will be up to the OpenSSL folks to decide if they want to contort the new improvements to fit in the legacy ABI or API.

Re:What a name!

[ChunderDownunder]

jejune, must remember that one...

largest doesn't mean the majority

[raymorris]

"Largest consumer" means they buy more than ANYONE else, not more than EVERYONE else.

Does the world's largest man account for over half the weight of all humans? No, he's bigger than any other man, not bigger than all other men put together. A lot of people buy Android phones. Can you name a consumer who buys more than the US government.

compatibility, so you don't rewrite all applicatio

[raymorris]

LibreSSL maintains API and ABI compatibility with OpenSSL, so you can upgrade your encryption without rewriting all of your applications. That's one reason that people in general use LibreSSL rather than something completely different. Also, it's on its way to becoming the most thoroughly audited SSL/TLS library in the world.

Google doesn't mind recompiling their software, so they need only API compatibility, not ABI compatibility.

It needs to go the "XWindows path"

[sgt+scrub]

I think OpenSSL should be broken up into pieces that work together so different parts can be worked on separately. Needless to say I think the OpenBSD group has the better, more achievable for open source, path for the future of the library. I'm not a hater of all things Google; but, I don't think "in-house" code is a good choice for the GNU parts of Linux/BSDs

Certify it

[sgt+scrub]

On the flip side of that, anything with BoringSSL will not be restricted from exporting outside of the U.S. /snark

Re:because Google doesn't need two major limitatio

[Virtucon]

Good points but a lot of speculation on Google's intentions. I think it'll be like everything else they've done for open source. Embrace, Extend and then Emprision (sic) much like "we don't like Java so we'll make our own" It's the Bender philosophy. Sure OpenSSL may have an older API/ABI however what's the driving factor for something new? There's just no way I can trust Google after the NSA revelations and their incessant tracking crap. First it was Facebook and all their damn trackers now Google Metrics, Google Analytics on almost every fucking webpage out there. Sorry do no evil is no longer valid at Google and I look at any attempt at embracing or forking and already existent open source project as suspicious and motivated by some shit that'll eventually get me condom ads.

Yup - ExcitingSSL is NOT what you want

[billstewart]

No surprise.

Re:What a name!

[Prof.Phreak]

Yes, it's hard to get excited about BoringSSL.

Wayne Boring

[tverbeek]

I thought that BoringSSL was named in honor of classic Superman artist Wayne Boring.

not speculation, see TFA

[raymorris]

It's not speculation at all, I pretty much quoted the discussion that led to the fork. I just added a very brief explanation of the terms ABI and API.

> and I look at any attempt at embracing or forking

It appears that you refused to look at it at all, preferring to apply your preconceived conclusion without bothering to take 60 to read what is happening and why.

Re:not speculation, see TFA

[Virtucon]

I did read that, don't assume. Also don't assume anything Google does is for the benefit of anybody except Google. Google is a business and it still amazes me that people believe, with a straight face, that they won't shaft over everybody if corporate conscious comes between them and a buck.

Re:"Can't trust Google cuz they're NSA buds" = sil

[cyrus0101]

I'm not suggesting Google is impervious to coercion, only that the have an incentive to maintain as secure a platform as they are able. They are no more vulnerable to corruption than OpenSSL was (though it could even be argued that their political and economic clout makes them less vulnerable; but I wouldn't get behind that position).