Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Forks OpenSSL, Announces BoringSSL

Posted by Soulskill on from the if-you-want-something-done-right dept.

An anonymous reader writes Two months after OpenBSD's LibReSSL was announced, Adam Langley introduces Google's own fork of OpenSSL, called BoringSSL. "[As] Android, Chrome and other products have started to need some subset of these [OpenSSL] patches, things have grown very complex. The effort involved in keeping all these patches (and there are more than 70 at the moment) straight across multiple code bases is getting to be too much. So we're switching models to one where we import changes from OpenSSL rather than rebasing on top of them. The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too." First reactions are generally positive. Theo de Raadt comments, "Choice is good!!."

16 of 128 comments (clear)

  1. Yaaaay! by Anonymous Coward · · Score: 5, Insightful

    Just what I needed this Saturday, the announcement of yet another implementation of SSL by people I do not to trust

    oh joy, oh rapture, etc. etc. etc.

    1. Re:Yaaaay! by TheGratefulNet · · Score: 3, Insightful

      right. google IS the premier spy company. they want ALL your data.

      and so, we are supposed to trust google on things about SECURITY and where user TRUST is involved?

      scuze me??

      --

      --
      "It is now safe to switch off your computer."
    2. Re:Yaaaay! by grub · · Score: 5, Funny


      Google SSL... Now with a side channel for ads.

      --
      Trolling is a art,
    3. Re:Yaaaay! by Megane · · Score: 4, Interesting

      Yes. Because they don't want anyone else to have that data that they have gone to such effort to collect.

      Or at least not without paying for it.

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  2. Re:How will they address the attitude problem? by colfer · · Score: 4, Interesting

    Maybe by assigning people to the project who have not chosen security as a career field. On the Mozilla commits I used to follow, the personalities in the security arena were a different kettle of fish from the other developers. They had to maintain FIPS compliance, so were conservative about changes, but it was more than that. Not to mention, there's a possibility of workers with ulterior motives. All the more reason to develop a wider community than just self-selected specialists.

    The billion dollar companies can afford it, and should have a long time ago.

  3. Re:What a name! by ArcadeMan · · Score: 5, Funny

    I was about to write a witty reply to your comment, however the result would not have been interesting, tedious to read, dull, monotonous, repetitive, unrelieved, unvaried, unimaginative, uneventful, characterless, featureless, colorless, lifeless, insipid, uninteresting, unexciting, uninspiring, unstimulating, uninvolving, unreadable, unwatchable, jejune, flat, bland, dry, stale, tired, banal, lackluster, stodgy, vapid, monochrome, dreary, humdrum, mundane, mind-numbing, wearisome, tiring, tiresome, irksome, trying, frustrating, informaldeadly, ho-hum, dullsville, dull as dishwater, plain-vanilla and as boring as a one-man play.

    --
    Get free satoshi (Bitcoin) and Dogecoins
  4. Re:Choice is NOT ALWAYS good by colfer · · Score: 4, Insightful

    BoringSSL is a great name and directly addresses what got OpenSSL into trouble most recently, implementing a new protocol parameter based on a student's idea for a degree thesis. Innovation for innovation's sake, that was. Hurriedly applied for some reason.

    And it's not something a website would "use," if you mean a high level protocol akin to "https." It's a library to implement common standards.

  5. Re:How does this help? by bmajik · · Score: 3, Interesting

    Bugs weren't missed in mainline openSSL. Bugs were logged, sat around for years, and didn't get fixed.

    The project management and software engineering practices for openSSL were/are simply not acceptable.

    The code is salvageable. The people and processes that allowed the code to get that way are not.

    "This code under new management"

    --
    My opinions are my own, and do not necessarily represent those of my employer.
  6. Re:Worrysome by drinkypoo · · Score: 4, Insightful

    Diversity is good, especially if they wind up diverging and actually being diverse. Not all implementations wind up being vulnerable to the same attacks, except when there are weaknesses inherent to the protocol. Even then a diverse... crap, I can't think of a non-buzzword to use here, landscape, ecosystem, argh. Sorry. Anyway, where was I? More variants means more approaches are likely to be attempted to solving the same problem, hopefully the best one wins and we get the best approach out of several options instead of whatever the single vendor comes up with.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  7. Re:Choice is NOT ALWAYS good by NotInHere · · Score: 3, Informative

    Compare email (you can choose your provider, but regardless, you can email anyone) vs. social networking (if you choose Facebook and your friend is the one person on Google+, you're out of luck)

    That's one of the reasons why I have email, jabber, and sms (and webrtc), but no social network.

  8. It is hip to be square by ctime · · Score: 5, Informative

    For those having a hard time understanding the naming convention,

    Boring: Not flashy, not exciting, not experimental, not sexy. Performs as expected.

    In other words, exactly how I want my security libraries, my databases, and the other critical infrastructure that runs the planet to be described as. Boring is good. A choice between boring Plain Jane and Simple Sally? Even better. Thank you.

    1. Re:It is hip to be square by Jiro · · Score: 3, Insightful

      And if they called it snoozeSSL, the name doesn't matter. A name is a designation that should enable us to distinguish it from something of a similar kind...

      The point is, though, that this name means jack

      So *you're* the guy who named GIMP..

      Names actually do matter. Think of a name as a type of user interface, and a bad name as an ugly user interface.

      For that matter, think of a name as a way to deal with people, and a poorly named project as showing geekish lack of social skills. Saying "please" serves no function other than making people feel better. It doesn't mean anything more than the name. But that still means a lot, because we're human beings, and doing things with no technological effect is part of how we deal with other human beings.

  9. Re:What a name! by Anonymous Coward · · Score: 5, Funny

    they call it BoringSSL because it contains a backdoor tunneling protocol.

  10. Re:What a name! by swillden · · Score: 5, Informative

    First reactions are generally positive. Theo de Raadt comments, "Choice is good!!."

    The name "BoringSSL."

    I am finding extreme difficulty in liking this name choice. What was Google thinking? Am I alone?

    It's not "What was Google thinking?", it's "What was Adam Langley thinking?". As for what he was thinking, it's pretty simple: Fundamental security components like SSL/TLS should be very, very boring. They're not a place for innovation and experimentation, they're not a place for clever code that demonstrates the author's virtuosity (assuming there is any such place, outside of Obfuscated C contests). They're not a place for exploration of how the C preprocessor can be used to automatically generate much of the codebase (which is something that OpenSSL has done). They're where you want very simple, straightforward, boring implementations of industry best practice algorithms and protocols.

    When it comes to security, boring is good.

    As Langley said in his blog post, the name is aspirational. But it is his goal, to produce a security library which is completely boring. And it's a good thing.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  11. Re:How does this help? by jones_supa · · Score: 3, Informative

    OpenSSL Gets Patch for 4-Year-Old Flaw

    That one had a public CVE sitting for 4 years while nobody took the responsibility to fix it.

  12. Re:Worrysome by NotBorg · · Score: 3, Insightful

    Why not just help the OpenSSL folks strengthen an already great product

    Citation needed.

    --
    I want this account deleted.