Google has published its own fork of the widely used crypto library OpenSSL to support its own products and infrastructure.
With a swag of “patches” that Google has used to customise OpenSSL for Chrome and Android, the search company has decided it’s better off forking the open source project to support its own needs, calling its effort “BoringSSL”.
OpenSSL of course came to the public’s attention during this year’s enormous effort to close off the Heartbleed bug, which exposed websites and secure infrastructure to potentially serious attacks. Earlier this month the OpenSSL project released patches for flaws that could allow attackers to intercept and decrypt secure sockets layer (SSL) encrypted traffic.
Google’s OpenSSL fork follows the move by OpenBSD following Heartbleed to create its own version of OpenSSL called LibreSSL.
While OpenBSD’s effort was to prevent a repeat of Heartbleed, Google’s fork is a little more mundane, according to Google security engineer Adam Langley, who said BoringSSL was a matter of house-keeping.
“We have used a number of patches on top of OpenSSL for many years. Some of them have been accepted into the main OpenSSL repository, but many of them don’t mesh with OpenSSL’s guarantee of API and ABI stability and many of them are a little too experimental,” noted Langley.
“But as Android, Chrome and other products have started to need some subset of these patches, things have grown very complex. The effort involved in keeping all these patches (and there are more than 70 at the moment) straight across multiple code bases is getting to be too much.”
And since Google isn’t attempting to duplicate efforts under LibreSSL, it’s still going to contribute bug fixes to OpenSSL and import changes from it as well as OpenBSD’s LibreSSL, which Langley noted is “welcome to take changes from us.”
Langley noted that Google will still be funding the Core Infrastructure Initiative, an industry initiative announced in the wake of Heartbleed (and backed by Cisco, Facebook, Google, the Linux Foundation and others) to better fund projects such as OpenSSL that affect critical infrastructure.