IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

OpenSSL replacement in the works post-Heartbleed fallout

Canadian non-profit organisation confirms work has already begun on replacing "outdated" OpenSSL code

Malicious code

The OpenBSD Foundation has started work on a new version of the OpenSSL software that secures most of the internet in the wake of the Heartbleed bug.

"This is about realising belatedly that code we thought of good quality was not even decent, and ended up becoming too complex and unmaintainable," wrote one developer.

"So now we are hurrying to remove everything in the way of exposing the concrete guts of the code, fixing the bad practices inherited from the way we were doing security 15+ years ago, and making sure we do not break basic functionality in the process."

LibreSSL is a forked version of OpenSSL, the encryption software used in two-thirds of internet servers and most internet communication protocols.

OpenSSL was recently compromised by the Heartbleed vulnerability, leaving government databases, email, VPNs, and even sites like Google and Yahoo open to hacking.

The OpenBSD Foundation is building LibreSSL as an alternate, more up-to-date version of OpenSSL to better secure internet communications.

OpenSSL is a popular open source project created by a small community of users. It powers the SSL/TLS encryption used by many programs and websites.

Its users cited Heartbleed as reason to donate time or money to work on OpenSSL and look for bugs.

The OpenBSD Foundation developers have opted to rewrite OpenSSL's code entirely because of its poor quality.

"I wonder if their moto [sic] is If you can't solve a problem, at least try to do it badly," one developer commented after reviewing a piece of OpenSSL's code.

"You do not want to do the things this program does," echoed another.

LibreSSL support for Mac, Windows and other operating systems is "coming soon." The team says it will add more platforms once LibreSSL is stable enough and they have a ready porting team.

The OpenBSD Foundation wants to keep working to develop the software for version 5.6 of its own operating system.

The compatibility issues make LibreSSL a hard sell for most PC users.

"The whole point of OpenSSL was that it runs everywhere," wrote one commenter. "If we're going to write a shiny new version, let's at least try to hit the major platforms."

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022