LinkBack URL
About LinkBacksDropping Mozilla NSS for BoringSSL, an internal fork of OpenSSL and LibreSSL.
For years, Google’s Chrome browser on many platforms has relied on the Mozilla Network Security Service (NSS) to provide secure Web connections. And earlier this year, that reliance appeared to become a very good thing, with the disclosure of OpenSSL’s Heartbleed vulnerability. But Google also had used OpenSSL as the encryption engine for Chrome on some versions of Android, creating a security crisis for many of Chrome’s mobile users.
Ironically, Heartbleed played out as Google engineers had come to the conclusion that they needed to switch development of Chrome on all platforms to OpenSSL. “Switching to OpenSSL, however, has the opportunity to bring significant performance and stability advantages to iOS, Mac, Windows, and ChromeOS immediately out of the gate,” wrote Ryan Sleevi in a draft design paper in January that was heavily referenced across the Chrome and open-source Chromium developer community.
In the wake of Heartbleed, however, OpenSSL’s benefits have apparently been outweighed by its baggage. On June 20, Google Senior Staff Engineer Adam Langley announced that Google was moving to create its own clean version of OpenSSL, called BoringSSL—boring, as in a lack of exciting vulnerabilities.
Now Google has committed to using BoringSSL instead of NSS in future versions of Chrome, across all its platforms. In a revision posted to the Chromium version control site, Google developer David Benjamin simply announced the change as “Switch to BoringSSL.”
“This is a much larger change than its diff [the changed files in the source] suggests,” Benjamin wrote. “If it breaks something, please revert first and ask questions later.”
It’s a change with huge ramifications for both Chrome code and the future of projects like OpenSSL and the nascent LibreSSL project—both of which Google is drawing from to create BoringSSL. While BoringSSL could provide more stability and consistency in how Chrome provides secure connections across different platforms, the fact that BoringSSL is drawing on the work of two open source, freely licensed projects, could reduce financial and development resource support for those efforts in the future. Adam Langley says that bug fixes to code taken from the two projects will be re-contributed, and isn't intended as a replacement to the OpenSSL project, but it may turn out to be a de-facto replacement.
Torrent Invites! Buy, Trade, Sell Or Find Free Invites, For EVERY Private Tracker! HDBits.org, BTN, PTP, MTV, Empornium, Orpheus, Bibliotik, RED, IPT, TL, PHD etc!
Results 1 to 1 of 1
-
07-25-2014 #1Extreme User
- Reputation Points
- 111729
- Reputation Power
- 100
- Join Date
- Mar 2014
- Posts
- 3,448
- Time Online
- 252 d 12 h 22 m
- Avg. Time Online
- 1 h 38 m
- Mentioned
- 304 Post(s)
- Quoted
- 52 Post(s)
- Liked
- 4874 times
- Feedbacks
- 46 (100%)
Google dumps plans for OpenSSL in Chrome, takes own Boring road
Reply With Quote
