Please create an account to participate in the Slashdot moderation system


Forgot your password?
Security Android Chrome Chromium Google

Google Forks OpenSSL, Announces BoringSSL 128

An anonymous reader writes Two months after OpenBSD's LibReSSL was announced, Adam Langley introduces Google's own fork of OpenSSL, called BoringSSL. "[As] Android, Chrome and other products have started to need some subset of these [OpenSSL] patches, things have grown very complex. The effort involved in keeping all these patches (and there are more than 70 at the moment) straight across multiple code bases is getting to be too much. So we're switching models to one where we import changes from OpenSSL rather than rebasing on top of them. The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too." First reactions are generally positive. Theo de Raadt comments, "Choice is good!!."
This discussion has been archived. No new comments can be posted.

Google Forks OpenSSL, Announces BoringSSL

Comments Filter:
  • Yaaaay! (Score:5, Insightful)

    by Anonymous Coward on Saturday June 21, 2014 @09:34AM (#47288129)

    Just what I needed this Saturday, the announcement of yet another implementation of SSL by people I do not to trust

    oh joy, oh rapture, etc. etc. etc.

  • Re:Yaaaay! (Score:3, Insightful)

    by TheGratefulNet ( 143330 ) on Saturday June 21, 2014 @09:58AM (#47288239)

    right. google IS the premier spy company. they want ALL your data.

    and so, we are supposed to trust google on things about SECURITY and where user TRUST is involved?

    scuze me??

  • by colfer ( 619105 ) on Saturday June 21, 2014 @10:11AM (#47288291)

    BoringSSL is a great name and directly addresses what got OpenSSL into trouble most recently, implementing a new protocol parameter based on a student's idea for a degree thesis. Innovation for innovation's sake, that was. Hurriedly applied for some reason.

    And it's not something a website would "use," if you mean a high level protocol akin to "https." It's a library to implement common standards.

  • Re:Worrysome (Score:5, Insightful)

    by drinkypoo ( 153816 ) <> on Saturday June 21, 2014 @10:23AM (#47288355) Homepage Journal

    Diversity is good, especially if they wind up diverging and actually being diverse. Not all implementations wind up being vulnerable to the same attacks, except when there are weaknesses inherent to the protocol. Even then a diverse... crap, I can't think of a non-buzzword to use here, landscape, ecosystem, argh. Sorry. Anyway, where was I? More variants means more approaches are likely to be attempted to solving the same problem, hopefully the best one wins and we get the best approach out of several options instead of whatever the single vendor comes up with.

  • by Jiro ( 131519 ) on Saturday June 21, 2014 @11:28AM (#47288635)

    And if they called it snoozeSSL, the name doesn't matter. A name is a designation that should enable us to distinguish it from something of a similar kind...

    The point is, though, that this name means jack

    So *you're* the guy who named GIMP..

    Names actually do matter. Think of a name as a type of user interface, and a bad name as an ugly user interface.

    For that matter, think of a name as a way to deal with people, and a poorly named project as showing geekish lack of social skills. Saying "please" serves no function other than making people feel better. It doesn't mean anything more than the name. But that still means a lot, because we're human beings, and doing things with no technological effect is part of how we deal with other human beings.

  • Re:Worrysome (Score:4, Insightful)

    by NotBorg ( 829820 ) on Saturday June 21, 2014 @02:53PM (#47289429)

    Why not just help the OpenSSL folks strengthen an already great product

    Citation needed.

  • Re:Certify it (Score:2, Insightful)

    by Anonymous Coward on Saturday June 21, 2014 @05:41PM (#47289969)

    And if you do have a FIPS-certified cryptographic system, thanks to the NSA's shenanigans, the rest of the world now views it with disdain and suspicion, so forget about selling anything to anyone who ISN'T a US government agency.

    They can make their own damn crypto, or follow the lead of independent cryptographers leading independent research. Appeasing governments is off the menu.

1 Mole = 007 Secret Agents