Google Forks OpenSSL, Announces BoringSSL

An anonymous reader writes Two months after OpenBSD's LibReSSL was announced, Adam Langley introduces Google's own fork of OpenSSL, called BoringSSL. "[As] Android, Chrome and other products have started to need some subset of these [OpenSSL] patches, things have grown very complex. The effort involved in keeping all these patches (and there are more than 70 at the moment) straight across multiple code bases is getting to be too much. So we're switching models to one where we import changes from OpenSSL rather than rebasing on top of them. The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too." First reactions are generally positive. Theo de Raadt comments, "Choice is good!!."

Yaaaay!

[Anonymous Coward]

Just what I needed this Saturday, the announcement of yet another implementation of SSL by people I do not to trust

oh joy, oh rapture, etc. etc. etc.

Re:Yaaaay!

[TheGratefulNet]

right. google IS the premier spy company. they want ALL your data.

and so, we are supposed to trust google on things about SECURITY and where user TRUST is involved?

scuze me??

Re:Choice is NOT ALWAYS good

[colfer]

BoringSSL is a great name and directly addresses what got OpenSSL into trouble most recently, implementing a new protocol parameter based on a student's idea for a degree thesis. Innovation for innovation's sake, that was. Hurriedly applied for some reason.

And it's not something a website would "use," if you mean a high level protocol akin to "https." It's a library to implement common standards.

Re:Worrysome

[drinkypoo]

Diversity is good, especially if they wind up diverging and actually being diverse. Not all implementations wind up being vulnerable to the same attacks, except when there are weaknesses inherent to the protocol. Even then a diverse... crap, I can't think of a non-buzzword to use here, landscape, ecosystem, argh. Sorry. Anyway, where was I? More variants means more approaches are likely to be attempted to solving the same problem, hopefully the best one wins and we get the best approach out of several options instead of whatever the single vendor comes up with.

Re:It is hip to be square

[Jiro]

And if they called it snoozeSSL, the name doesn't matter. A name is a designation that should enable us to distinguish it from something of a similar kind...

The point is, though, that this name means jack

So *you're* the guy who named GIMP..

Names actually do matter. Think of a name as a type of user interface, and a bad name as an ugly user interface.

For that matter, think of a name as a way to deal with people, and a poorly named project as showing geekish lack of social skills. Saying "please" serves no function other than making people feel better. It doesn't mean anything more than the name. But that still means a lot, because we're human beings, and doing things with no technological effect is part of how we deal with other human beings.

Re:Worrysome

[NotBorg]

Why not just help the OpenSSL folks strengthen an already great product

Citation needed.

Re:Certify it

[Anonymous Coward]

And if you do have a FIPS-certified cryptographic system, thanks to the NSA's shenanigans, the rest of the world now views it with disdain and suspicion, so forget about selling anything to anyone who ISN'T a US government agency.

They can make their own damn crypto, or follow the lead of independent cryptographers leading independent research. Appeasing governments is off the menu.