OpenSSL replacement in the works post-Heartbleed fallout

News 22 Apr, 2014

Canadian non-profit organisation confirms work has already begun on replacing "outdated" OpenSSL code

The OpenBSD Foundation has started work on a new version of the OpenSSL software that secures most of the internet in the wake of the Heartbleed bug.

“This is about realising belatedly that code we thought of good quality was not even decent, and ended up becoming too complex and unmaintainable,” wrote one developer.

“So now we are hurrying to remove everything in the way of exposing the concrete guts of the code, fixing the bad practices inherited from the way we were doing security 15+ years ago, and making sure we do not break basic functionality in the process.”

LibreSSL is a forked version of OpenSSL, the encryption software used in two-thirds of internet servers and most internet communication protocols.

OpenSSL was recently compromised by the Heartbleed vulnerability, leaving government databases, email, VPNs, and even sites like Google and Yahoo open to hacking.

The OpenBSD Foundation is building LibreSSL as an alternate, more up-to-date version of OpenSSL to better secure internet communications.

OpenSSL is a popular open source project created by a small community of users. It powers the SSL/TLS encryption used by many programs and websites.

Its users cited Heartbleed as reason to donate time or money to work on OpenSSL and look for bugs.

The OpenBSD Foundation developers have opted to rewrite OpenSSL’s code entirely because of its poor quality.

“I wonder if their moto [sic] is ‘If you can’t solve a problem, at least try to do it badly,” one developer commented after reviewing a piece of OpenSSL’s code.

“You do not want to do the things this program does,” echoed another.

LibreSSL support for Mac, Windows and other operating systems is “coming soon.” The team says it will add more platforms once LibreSSL is stable enough and they have a ready porting team.

The OpenBSD Foundation wants to keep working to develop the software for version 5.6 of its own operating system.

The compatibility issues make LibreSSL a hard sell for most PC users.

“The whole point of OpenSSL was that it runs everywhere,” wrote one commenter. “If we’re going to write a shiny new version, let’s at least try to hit the major platforms.”