Google Forks OpenSSL, Announces BoringSSL

An anonymous reader writes Two months after OpenBSD's LibReSSL was announced, Adam Langley introduces Google's own fork of OpenSSL, called BoringSSL. "[As] Android, Chrome and other products have started to need some subset of these [OpenSSL] patches, things have grown very complex. The effort involved in keeping all these patches (and there are more than 70 at the moment) straight across multiple code bases is getting to be too much. So we're switching models to one where we import changes from OpenSSL rather than rebasing on top of them. The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too." First reactions are generally positive. Theo de Raadt comments, "Choice is good!!."

Yaaaay!

Just what I needed this Saturday, the announcement of yet another implementation of SSL by people I do not to trust

oh joy, oh rapture, etc. etc. etc.

Re:Yaaaay!

[grub]

Google SSL... Now with a side channel for ads.

Re:Yaaaay!

[Megane]

Yes. Because they don't want anyone else to have that data that they have gone to such effort to collect.

Or at least not without paying for it.

Re:How will they address the attitude problem?

[colfer]

Maybe by assigning people to the project who have not chosen security as a career field. On the Mozilla commits I used to follow, the personalities in the security arena were a different kettle of fish from the other developers. They had to maintain FIPS compliance, so were conservative about changes, but it was more than that. Not to mention, there's a possibility of workers with ulterior motives. All the more reason to develop a wider community than just self-selected specialists.

The billion dollar companies can afford it, and should have a long time ago.

Re:What a name!

[ArcadeMan]

I was about to write a witty reply to your comment, however the result would not have been interesting, tedious to read, dull, monotonous, repetitive, unrelieved, unvaried, unimaginative, uneventful, characterless, featureless, colorless, lifeless, insipid, uninteresting, unexciting, uninspiring, unstimulating, uninvolving, unreadable, unwatchable, jejune, flat, bland, dry, stale, tired, banal, lackluster, stodgy, vapid, monochrome, dreary, humdrum, mundane, mind-numbing, wearisome, tiring, tiresome, irksome, trying, frustrating, informaldeadly, ho-hum, dullsville, dull as dishwater, plain-vanilla and as boring as a one-man play.

Re:Choice is NOT ALWAYS good

[colfer]

BoringSSL is a great name and directly addresses what got OpenSSL into trouble most recently, implementing a new protocol parameter based on a student's idea for a degree thesis. Innovation for innovation's sake, that was. Hurriedly applied for some reason.

And it's not something a website would "use," if you mean a high level protocol akin to "https." It's a library to implement common standards.

Re:Worrysome

[drinkypoo]

Diversity is good, especially if they wind up diverging and actually being diverse. Not all implementations wind up being vulnerable to the same attacks, except when there are weaknesses inherent to the protocol. Even then a diverse... crap, I can't think of a non-buzzword to use here, landscape, ecosystem, argh. Sorry. Anyway, where was I? More variants means more approaches are likely to be attempted to solving the same problem, hopefully the best one wins and we get the best approach out of several options instead of whatever the single vendor comes up with.

It is hip to be square

[ctime]

For those having a hard time understanding the naming convention,

Boring: Not flashy, not exciting, not experimental, not sexy. Performs as expected.

In other words, exactly how I want my security libraries, my databases, and the other critical infrastructure that runs the planet to be described as. Boring is good. A choice between boring Plain Jane and Simple Sally? Even better. Thank you.

Re:What a name!

they call it BoringSSL because it contains a backdoor tunneling protocol.

Re:What a name!

[swillden]

First reactions are generally positive. Theo de Raadt comments, "Choice is good!!."

The name "BoringSSL."

I am finding extreme difficulty in liking this name choice. What was Google thinking? Am I alone?

It's not "What was Google thinking?", it's "What was Adam Langley thinking?". As for what he was thinking, it's pretty simple: Fundamental security components like SSL/TLS should be very, very boring. They're not a place for innovation and experimentation, they're not a place for clever code that demonstrates the author's virtuosity (assuming there is any such place, outside of Obfuscated C contests). They're not a place for exploration of how the C preprocessor can be used to automatically generate much of the codebase (which is something that OpenSSL has done). They're where you want very simple, straightforward, boring implementations of industry best practice algorithms and protocols.

When it comes to security, boring is good.

As Langley said in his blog post, the name is aspirational. But it is his goal, to produce a security library which is completely boring. And it's a good thing.