BoringSSL wants to kill the excitement that led to Heartbleed

Bored girl

Bored girlSome things just aren’t meant to be exciting. In fact, some things are supposed to be so far from novelty, surprise and frivolity that any whiff of excitement at all is a bad sign indeed.

In my world, elevators should operate with humdrum predictability, suspension bridges should not be zany and bankers ought to behave like accountants rather than croupiers.

The software that drove the Space Shuttle was famously specified, checked, tested and re-tested until every last drop of free-wheeling joie de vivre was drained from its 420,000 lines (and, no doubt, from the people who wrote them).

NASA knew that in order for us to do exciting things in space we ought to make getting there as dull as we could.

And it’s the same with the pillars of software infrastructure that keep up the internet – they are supposed to be the doughty columns that go unnoticed but upon which a universe of  interesting things can be buit.

One such pillar is the stalwart OpenSSL library – a bit of encryption software whose immense popularity means that it bears a great deal of weight indeed.

Earlier this year a crack appeared in that particular pillar which was worrisome enough to get everyone’s heart racing.

The crack, a buffer overflow bug, caused the software almost everyone was using to secure secret things like passwords, session keys and private data to actively disgorge secret things like passwords, session keys and private data.

A great deal of excitement ensued and a piece of software that should have had no truck with limelight found itself centre stage on the 11 o’clock news.

To make matters worse, the bug – which would normally get away with a fabulously dull name like CVE-2014-0160 – ended up with a cracking moniker; Heartbleed.

Until that moment OpenSSL had enjoyed a long history of being just as dull as it should have been.

We now know that we were all guilty of assuming it was dull. It wasn’t. There were plenty of things to set pulses racing in OpenSSL, it just seemed like there wasn’t because almost nobody was actually looking at the code to find out.

The internet can’t be built on the faux mundanity of OpenSSL, what’s needed is something genuinely uncool.

Thankfully Google’s Adam Langley has something in mind; it’s called BoringSSL and it aims to do exactly what it says on the tin.

BoringSSL is a version of OpenSSL that has diverged so much from its parent that it’s now become a distinct entity in its own right.

According to Langley, Google has for years been routinely patching OpenSSL before using it. Some of the patches have been accepted back into OpenSSL proper but many more of them haven’t.

The burden of keeping Google’s patch set in sync with OpenSSL has now become so great they’ve decided to fork the code.

... things have grown very complex. The effort involved in keeping all these patches (and there are more than 70 at the moment) straight across multiple code bases is getting to be too much.

The project will continue to exchange code with OpenSSL where possible but, perhaps more importantly, they will also be free to share code with LibreSSL, another recently announced attempt to bring dullness and sobriety to the beleaguered crypto code.

Theo de Raadt, founder of the OpenBSD team behind LibreSSL, welcomed the news:

I suspect everyone working on LibReSSL is happy to hear the news about BoringSSL. Choice is good!!

And of course he’s right.

Choice, competition and cooperation between three teams of not too shabby security experts should result in higher quality code, safer data and software that really is as boring as it seems.

Of course, calling something boring doesn’t make it so and Langley himself describes the name as an ‘aspiration’.

I guess we’ll only know if he’s succeeded if we’ve got better things to do than take any notice.

Image of bored girl courtesy of Shutterstock.