For all the talk about how something should be done to fix OpenSSL so that a Heartbleed situation is never again repeated, there has been little to no concrete action so far.
The question of whether the popular (and predominant) SSL/TLS library should be fixed or rewritten has already been raised, and the various aspects of the matter (Who? With what funds? How long will it take?) have been analyzed by Aaron Bedra, principal consultant at Cigital, who assumed the creation of such a library from scratch.
But late last week, the members of the OpenBSD project, which develops the well-known OpenBSD operating system, OpenBSD Secure Shell, and other popular open-source software packages, have announced they have begun working on a free version of the SSL/TLS protocol.
They are not starting from scratch, but have forked OpenSSL – i.e. have taken a copy of the library source code and have been reviewing, cleaning and rewriting it – to create a new, more secure option which they have dubbed LibreSSL.
Larry Seltzer reports that OpenBSD’s famous founder and project leader Theo de Raadt confirmed that they have already removed 90,000 lines of C code and 150,000 lines of content. “Some of that is indentation, because we are trying to make the code more comprehensible,” he added.
“99.99% of the community does not care for VMS support, and 98% do not care for Windows support,” he also noted. “They care for POSIX support, so that the Unix and Unix derivatives can run. They don’t care for FIPS. Code must be simple. Even after all those changes, the codebase is still API compatible. Our entire ports tree (8700 applications) continue to compile and work, after all these changes.”
The LibreSSH project is supported financially by The OpenBSD Foundation and by The OpenBSD Project, so they are asking for support via donations.
“We know you all want this tomorrow. We are working as fast as we can but our primary focus is good software that we trust to run ourselves. We don’t want to break your heart,” the team noted.
It’s too soon to tell if the project will be sustainable and successful. OpenBSD developers are considered by many to be authors of simple and secure code, and this could be a good idea since the OpenSSL team has been having long-standing troubles when it comes to funding.
“The good news though definitely is that the OpenSSL code is being looked at, carefully and expertly, and everyone will be better off for it,” commented SANS ISC handler Daniel Wesemann.
The merits of the project are currently being lively debated on Hacker News, and details about the code change and project development can be actively followed on the independent OpenSSL Valhalla Rampage blog.