Google has announced that it is working its own fork in the OpenSSL project. This announcement means that there are now three projects working off the OpenSSL code, although Google’s own version is apparently a stripped down variant that is without many application programming interfaces (API) and application binary interfaces (ABI).
Called BoringSSL, the new version of the cryptographic library comes as the internet is still recovering from the Heartbleed vulnerability that threatened more than two thirds of users. It should be noted that Google itself was using OpenSSL when Heartbleed was discovered, so it is no surprise that the company is taking steps to ensure that it does not get caught in the same situation again.
This is not the only fork in the OpenSSL project, as developers of the OpenBSD operating system had earlier announced their own version known as LibreSSL. These developers reasoned that Heartbleed had damaged OpenSSL beyond repair, and the only option would be to rebuild the cryptographic standard.
Google’s BoringSSL will still contribute patches and bug fixes to the original OpenSSL project, which has security experts and enthusiasts wondering what the differences will be between the versions. Not only that, it is unclear which of the three would be useful given a particular situation. Although at best, it will provide more options for servers and websites to secure themselves if another Heartbleed situation arises.
[Source: Ars Technica]