The Inquirer-Home

Google forks OpenSSL to make BoringSSL

Alternative will help, not take over
Mon Jun 23 2014, 13:28
Google logo

GOOGLE SOFTWARE ENGINEERS have created a fork of OpenSSL software known as BoringSSL.

Since the revelations surrounding the Heartbleed bug, which put hundreds of thousands of websites at risk earlier this year, a consortium from across the industry launched the Core Infrastructure Initiative to manage the code base of OpenSSL.

In addition to an existing fork called LibreSSL being developed outside the initiative, the BoringSSL fork is designed by Google to include patches from the other two code bases without replacing either one.

The plan is to incorporate BoringSSL into Chromium and Android, feeding back the changes made and bugs found to the main OpenSSL team, which can then choose whether or not to adopt them.

Google has decided to add ever more complex APIs to its source code at its own pace.

Google's Adam Langley wrote on his blog, "We have used a number of patches on top of OpenSSL for many years. Some of them have been accepted into the main OpenSSL repository, but many of them don't mesh with OpenSSL's guarantee of API and ABI stability and many of them are a little too experimental."

Langley emphasised that there are no plans to change Google's relationship with other OpenSSL versions, and that both OpenSSL and LibreSSL will be welcome to use code from BoringSSL and vice versa.

He also made it clear that the name is "aspirational and not yet a promise". Earlier today, we reported that only 9,000 out of 300,000 Heartbleed vulnerable servers have been patched, over two months after the bug was discovered. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015