Security Sidebar: LibreSSL is forking OpenSSL

The Heartbleed vulnerability revealed a serious flaw in the way OpenSSL is implemented.  One could argue that this flaw was big enough on its own to cause users to abandon OpenSSL.  Or, maybe some users had experienced previous frustrations with OpenSSL, and the Heartbleed bug was what sent them over the edge and on their way to search for a different toolkit for implementing SSL/TLS.  One specific group of software developers claim they aren't gonna take it anymore.  And they built a crappy website to prove it.  LibreSSL is clearly distraught over the recent problems with OpenSSL, and they're doing something about it.

 

Libre: denotes "the state of being free" as in "having freedom" or "liberty"

 

Maybe they chose the word "Libre" because their version of the SSL/TLS protocol is free (but so is OpenSSL), or maybe it's because they want to be free from the recent problems with OpenSSL.  Either way, LibreSSL is forking the OpenSSL code and going their separate way.  LibreSSL is primarily developed by the OpenBSD Project and is supported financially by the OpenBSD Foundation and the OpenBSD Project.  You too could donate to their cause!  They are so focused on code development that they even built their webpage to annoy "web hipsters".  The only way to stop the madness of their current web design is to donate to their cause.

The LibreSSL project wants to remove a large portion of OpenSSL code that is of very limited interest to most users or that was scheduled to be removed by the OpenSSL team but never was.  Theo de Raadt, founder of OpenBSD, said that the project has already removed 90,000 lines of C code and 150,000 lines of content from the OpenSSL code.  They also have almost 3,100 commits built as of this article.  But even with all those changes, he claims that the LibreSSL codebase is still API compatible.  F5's own David Holmes posed a great question related to this code change: "So much code is changing, and LibreSSL developers say the API is still compatible, but what exactly are they doing?"

 

The Struggles of OpenSSL

The purpose of the OpenSSL project (started in 1998) was to develop a robust and Open Source toolkit that implements SSL/TLS and provides a full-strength cryptography library that is managed by the OpenSSL community.  The OpenSSL project was historically volunteer driven, and doesn't have any specific requirements to become a volunteer other than a strong willingness to contribute while following the project's goals.  The current staff consists of 8 active members...one from the US and all the others from Europe.  The project has an annual budget of less than $1 million, and at least part of their budget comes from donations.  You might think that a team of 8 people with less than $1 million per year would not make much of an impact in today's high-tech world, but the truth is that, as of this year (2014), two-thirds of all webservers on the Internet use OpenSSL!  The other truth is that a small team of underpaid (albeit very intelligent and competent) staff members and a host of volunteers will miss things from time to time (sometimes really BIG things).  All the software is open-source, so you could evaluate and test it prior to using it on your webservers, but most companies just trust that it will work...and work correctly.  Let's be honest, even if you did crack open the code, your company probably doesn't have anyone on staff to figure out what it's doing anyway. 

The OpenSSL team is dedicated to their important work, but it's hard to keep up when you have such a small staff and a very limited budget.  In fact, the OpenSSL Software Foundation President (Steve Marquess) recently spoke about the staff and said "these guys don’t work on OpenSSL for money. They don’t do it for fame.  They do it out of pride in craftsmanship and the responsibility for something they believe in.  I stand in awe of their talent and dedication..."  Marquess went on to call out the big companies who rely on OpenSSL but never provide funding to their team.  "I’m looking at you, Fortune 1000 companies. The ones who include OpenSSL in your...products that you sell for profit...The ones who have never lifted a finger to contribute to the open source community that gave you this gift. You know who you are."

Theo de Raadt (Mr. OpenBSD) has a slightly different view of this team, claiming "OpenSSL is not developed by a responsible team."

Theo versus Steve...you decide who is right.  Frankly, I can see the point from both guys.

 

Unanswered Questions...

As the LibreSSL project forks OpenSSL, we are left with some intriguing and important questions.  David Holmes sent me a list of thought-provoking questions, and I wanted to include them in this article.

  1. As LibreSSL digs through the OpenSSL code, will they find any other major vulnerabilities like Heartbleed?
  2. What if OpenSSL team doesn’t accept all the changes from LibreSSL?
  3. Who is going to “resolve” changes from OpenSSL into LibreSSL moving forward?
  4. Are the library names in LibreSSL going to stay the same as OpenSSL?  If so, does that mean they are mutually exclusive?

 

Software forking is not always a bad thing, but many times it creates competing projects that split the developer community.  There's no overarching governing body that can mandate standardization and harmony between these two groups.  In the end, you might have to decide which way to go...stick with OpenSSL or switch to LibreSSL.  I suspect OpenSSL will stay in place until a major company adopts LibreSSL and paves the way for change.  But in the end, will LibreSSL suffer the same fate as OpenSSL with little funding and limited staff support?  We shall see...

 

Published May 05, 2014
Version 1.0
libressl
openssl
security
security sidebar
series-security-sidebar

Was this article helpful?

No CommentsBe the first to comment