Why Google is developing its own version of OpenSSL

Data Jimmy Nicholls

09:53, June 23 2014


The search engine has not given up on open source just yet.

Google is developing its own version of OpenSSL.

BoringSSL will import changes from the open source security layer rather than rebuilding on it, and is intended to be used within the company on products such as Android.

Adam Langley, a software engineer at the search engine, said: "We have used a number of patches on top of OpenSSL for many years.

"Some of them have been accepted into the main OpenSSL repository, but many of them don't mesh with OpenSSL's guarantee of API and ABI stability and many of them are a little too experimental."

He said the project will not act as an open source replacement for OpenSSL, the development of which Google will still be funding as part of its support of the Linux Foundation's work on the security layer.

"We'll also be more able to import changes from LibreSSL and they are welcome to take changes from us," he added.

"We have already relicensed some of our prior contributions to OpenSSL under an ISC licence at their request and completely new code that we write will also be so licensed."

An Internet Software Consortium (ISC) licence allows developers free reign to use, copy and modify software, and is the preferred licence of the OpenBSD foundation, creators of the eponymous operating system.

OpenSSL has had a difficult year after it was revealed many of the biggest sites on the web were vulnerable to leaking user credentials, prompting a spate of patching and advice to users to change their passwords.

Source: Company Press Release

get a cbr Cyber Security weekly update

Terms & Conditions & Privacy Policy.


Post a comment

Comments may be moderated for spam, obscenities or defamation.