Google is working on its own version of OpenSSL, an open-source protocol intended to secure and encrypt the transfer of data across the Internet. The new version -- code name BoringSSL -- from the Mountain View, Calif. company will import changes from OpenSSL rather than try and rebuild on top.
The code will begin to appear in the Chromium repository soon. In time, Google hopes to use it in Android, per Google Software Engineer Adam Langley. He explains in a post on his security blog: "We have used a number of patches on top of OpenSSL for many years. Some of them have been accepted into the main OpenSSL repository, but many of them don't mesh with OpenSSL's guarantee of API and ABI stability and many of them are a little too experimental."
OpenSSL took a hit last year after companies discovered that many of the biggest sites worldwide were vulnerable to leaking user information. Earlier this year, Google researchers and Codenomicon engineers discovered the Internet security flaw. The bug compromised the secret keys used to identify service provides and encrypt traffic such as user names and passwords. It prompted quick fixes by companies that own the Web sites and lot of password changes by consumers using the sites.
Robert David Graham from Errata Security found that roughly 600,000 servers were vulnerable to the security flaw at the time, reports CNET. One month later, only half of these servers had patches to protect against the bug, leaving 318,239 exposed.
Langley explains that Google's engineers are not looking to replace OpenSSL, but rather provide an alternative to
strengthen data security. "There are no guarantees of API or ABI stability with this code: we are not aiming to replace OpenSSL as an open-source project," he wrote."We will still be sending them bug fixes when we find them and we will be importing changes from upstream. Also, we will still
be funding the Core Infrastructure Initiative and the OpenBSD Foundation."
"Broken Padlock" photo from Shutterstock.