BoringSSL is Google’s new, independent “fork” of OpenSSL

With developers still struggling to plug vulnerabilities in the open source OpenSSL crypto library, Google has spun off a new fork of the project based on its own, internal work with the code, dubbed BoringSSL. “We have used a number of patches on top of OpenSSL for many years,” Google dev Adam Langley said in a blog post announcing the effort. “Some of them have been accepted into the main OpenSSL repository, but many of them don’t mesh with OpenSSL’s guarantee of API and ABI stability and many of them are a little too experimental.” Google uses its hacked-on version of OpenSSL in Chrome, Android, and various other things, but that has meant maintaining and patching multiple code bases. BoringSSL marks the beginning of an attempt to unify Google’s code into a single, consistent library that can be shared across many projects.

Google is releasing its own independently developed “fork” of OpenSSL, the widely used cryptography library that came to international attention following the Heartbleed vulnerability that threatened hundreds of thousands of websites with catastrophic attacks. The unveiling of BoringSSL, as the Google fork has been dubbed, means there will be three separate versions of OpenSSL, which is best known for implementing the secure socket layer and transport layer security protocols on an estimated 500,000 websites. Developers of the OpenBSD operating system took the wraps off LibreSSL a few weeks after the surfacing of Heartbleed. Google is taking pains to ensure BoringSSL won’t unnecessarily compete or interfere with either of those independent projects. Among other things, the company will continue to back the Core Infrastructure Initiative, which is providing $100,000 in funding to OpenSSL developers so they can refurbish their badly aging code base. “But we’ll also be more able to import changes from LibreSSL and they are welcome to take changes from us,” Adam Langley, a widely respected cryptography engineer and Google employee, wrote in ablog post introducing BoringSSL. “We have already relicensed some of our prior contributions to OpenSSL under an ISC license at their request and completely new code that we write will also be so licensed.”