OpenSSL Project publishes roadmap to counter criticism
The OpenSSL Project is planning a number of changes to ensure its security component, used across millions of computers across the Internet, is in tip-top shape.
OpenSSL is an open-source code library that encrypts communications between a computer and a server using SSL/TLS (Secure Sockets Layer/Transport Layer Security). It is a fundamental defense for keeping e-commerce transactions, email and other data unreadable if the traffic is intercepted.
Confidence in OpenSSL was shaken in April after a two-year-old software vulnerability called ”Heartbleed” was discovered that could allow an attacker to decrypt intercepted traffic or obtain data such as logins and passwords from servers.
The project has since come under heavy scrutiny, with critics noting the project was meagerly funded and staffed despite OpenSSL’s wide use in a variety of software.
OpenSSL’s roadmap is intended to counter the view that it is “slow-moving and insular,” according to a post on the project’s website.
Among the ongoing problems that the project plans to fix are a lack of code reviews, an inconsistent coding style, poor documentation, no platform strategy and no regular release cycle, according to the roadmap.
The group also plans to look at a large number of issues raised in its bug tracking system, many of which have never been reviewed.
Frustration with the OpenSSL Project led to the launch of a fork of the project called LibreSSL, which has been fixing bugs and rewriting bumpy parts of the OpenSSL code.
Google also announced it is developing its own fork of the software called ”BoringSSL” that is more appropriate for its own projects. The company plans to strip out unneeded APIs (application programming interfaces) and ABIs (application binary interfaces) included in OpenSSL.
Google said it planned to share information on bugs it finds with LibreSSL and the OpenSSL Project.
Major technology companies also realized the need to shore up the OpenSSL Project, which the companies will support under the Core Infrastructure Initiative, a project designed to aid underfunded but important open-source projects.