BoringSSL: Google Creates Its Own OpenSSL After Heartbleed Pain

Google is to start using its own version of OpenSSL., tidying up the encryption standard for the products it uses and not relying entirely on the open source community for the code to work correctly.

The decision has come after the revelations around the infamous Heartbleed bug, an OpenSSL vulnerability that was exploited to acquire encryption keys from web servers.

Adam Langley, a Google software engineer, said managing OpenSSL had become too complex as it was adding a large number of its own patches to ensure it worked across its various services.

BoringSSL in for OpenSSL

It’s now going to rely on BoringSSL instead, but not as a replacement for OpenSSL, code of which it will still use and contribute to. Yet it will also be importing code from other OpenSSL forks, like LibreSSL, as it retakes some control over its encryption.

“As Android, Chrome and other products have started to need some subset of these patches, things have grown very complex. The effort involved in keeping all these patches (and there are more than 70 at the moment) straight across multiple code bases is getting to be too much,” Langley said on his personal blog.

“So we’re switching models to one where we import changes from OpenSSL rather than rebasing on top of them. The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too.”

Meanwhile, Google has issued a new version of Android KitKat, 4.4.4, which includes a patch for an OpenSSL security issue, but not Heartbleed. Google has delivered a fix for the only vulnerable version, 4.1.1, but it may take time for handset manufacturers to push it out.

Are you a security pro? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago