Google drops OpenSSL in latest Chrome beta

Google is dropping OpenSSL in its latest beta of Chrome. The company is switching to its own forked version, called BoringSSL, in an attempt to streamline security patches and offer better protection to its users.

OpenSSL is the software that’s used online for secure connections: the type you need when using online banking, or transferring information securely. It’s created and maintained as open source software and updated mostly through the work of volunteers.

Despite that it’s one of the most important pieces of software online, and when something goes wrong – such as the recent case of the Heartbleed bug - everyone takes notice.

Google is saying that with all the recent security patches that have been added on to OpenSSL the software was becoming too convoluted to be implemented in Chrome, and as such they’ve opting for their own in-house developed version, BoringSSL. Interested folks will be able to test out this new implementation through the Chromium dev channel.

Finally Google says it’s not trying to replace OpenSSL and that they’ll continue to support and donate to the open project as well as exchange bug fixes and security patches going forward.

Source: Google via: Engadget | Image via Bitelia

Report a problem with article
Previous Story

PlayStation 4 patch adds support for 3D Blu-ray content [Update]

Next Story

European Central Bank website hacked; personal info stolen

43 Comments

Commenting is disabled on this article.

How does everyone just accept all the recent moves that Google is making? They are becoming as bad as Microsoft was in the 90s, making everything in house with a huge market share that they can manipulate people with. Yet people are defending every move they make, its quite spooky.

When it comes to this specific case at least, Microsoft, Apple, Oracle, the FSF and OpenBSD have their own respective implementations of TLS. Even Mozilla has it's own implementation of it, so I don't see how it's such an outrage that Google does too specially when they'll be submiting patches upstream to OpenSSL.

Google always getting the Open Source projects and modifying for them like they invented something new.
First ripping off the WebKIT not the OpenSSL...

Cesar Mattos said,
Google always getting the Open Source projects and modifying for them like they invented something new.
First ripping off the WebKIT not the OpenSSL...

Ripping off webkit? How does one ripoff open source? Webkit is a fork itself, but I wouldn't call it a ripoff.

Cesar Mattos said,
Google always getting the Open Source projects and modifying for them like they invented something new.
First ripping off the WebKIT not the OpenSSL...

And webkit was "ripped off" KDE's KHTML. If it hadn't you wouldn't have webkit.

Not sure where the "like they invented something new" comes into play, though.
Or the "ripping off", for that matter, considering that they've been supporting OpenSSL (and will continue to do so).

I'd bet people would be complaining a lot more if they took control of the OpenSSL project instead of working on a fork and contributing patches upstream.

Cesar Mattos said,
Google always getting the Open Source projects and modifying for them like they invented something new.
First ripping off the WebKIT not the OpenSSL...

I don't see it as ripping off so much as a severe case of NIH Syndrome.

So many engineers are sick with that disease.

Cesar Mattos said,
Google always getting the Open Source projects and modifying for them like they invented something new.
First ripping off the WebKIT not the OpenSSL...

If trolling 8/10

If not, you really need to take off your tinted glasses and get an education in the ecosystem you're talking about. Open source projects merge and diverge as a way off life. The groups involved in Webkit working together have achieved great things. Needs and wants change, and now Google has went their own way, completely open with their reasons publically which is more than they need to do. Even now as two different projects Blink and Webkit share patches with each other and can pick and steal what they like, whatever makes their project better.

The same can't be said when Apple forked Webkit from KHTML however, with it firmly being a one way relationship. At the time KDE developers frustrations with Apple's behavior is well documented online. Apple's forced Non-disclosure agreements are also firmly in the spirt of open-source. /s

Cesar Mattos said,
Google always getting the Open Source projects and modifying for them like they invented something new.
First ripping off the WebKIT not the OpenSSL...

I guess they technically invented 'profitability' for open source. ;)

FOSS doesn't actually work until you drop the F and throw a profit-driven corporation behind it.

Just once it would be nice to have a nice, mature, non bashing conversation on here. Oh well, guess that is just a pipe dream.

techbeck said,
Just once it would be nice to have a nice, mature, non bashing conversation on here. Oh well, guess that is just a pipe dream.

Boy you're in the wrong place.

morden said,
using google chrome is a heartbleed in itself

A BIG amen to that one! :)

recursive said,
Yeah but this is neowin, bashing Google comes first.

Only because the shoe fits!
Now, I have another reason, as if I needed one, not to use this piece of garbage. Never have and never will!

cork1958 said,

Now, I have another reason, as if I needed one, not to use this piece of garbage.

Because Google will be developing their own forked TLS implementation while still funding and contributing patches back to OpenSSL, instead of using NSS as before?

It's not as if other vendors didn't have their own implementations of TLS anyway.
What's the issue here exactly? That Google switched from NSS? That they did so to their own TLS implementation? That they forked a project they were supporting and will continue to support?

This move is, if anything, more beneficial for the OpenSSL project than Google sticking with NSS.

Majesticmerc said,
EDIT: The patches submitted on Monday suggest that NSS was originally replaced with OpenSSL, which has subsequently been replaced with BoringSSL.

https://src.chromium.org/viewv...2=284728&pathrev=284729
https://src.chromium.org/viewv...2=284728&pathrev=284729

etc, etc.

Maybe that is because of this:

https://src.chromium.org/svn/t...rty/openssl/README.chromium
https://groups.google.com/a/ch...ev/gmO3U9HLY3Y/RPGNiQ-NL-YJ

Now that they have forked it makes sense that they'd also use the fork there.

recursive said,
Yeah but this is neowin, bashing Google comes first.

Somehow I feel that this is a downgrade. NSS hasn't had any high-profile vulnerabilities in ages. Sure, it's a bit slower, but it's very stable. I'll stick with Firefox.
Edit: I forgot to mention that Chrome doesn't even OCSP by default.

Majesticmerc said,
So the only change here is that Android has dropped OpenSSL in Chrome? Am I reading that right?

They dropped NSS in Chromium/Chrome, and also OpenSSL in the Android version. All versions of Chromium/Chrome should eventually use the same libraries (BoringSSL, if that name finally sticks) regardless of the platform.

Ricmacas said,

Edit: I forgot to mention that Chrome doesn't even OCSP by default.

It uses a local list of revoked certificates that's periodically updated, IIRC.

OCSP only seems to be usefull until someone is determined to make it useless forcing a soft-fail, which I'd guess is precisely when you'd want it to work.

Majesticmerc said,
So the only change here is that Android has dropped OpenSSL in Chrome? Am I reading that right?

Er, no. Android wasn't even mentioned.

ichi said,

They dropped NSS in Chromium/Chrome, and also OpenSSL in the Android version. All versions of Chromium/Chrome should eventually use the same libraries (BoringSSL, if that name finally sticks) regardless of the platform.

Okay that's clearer now.

adrynalyne said,

Er, no. Android wasn't even mentioned.

See Ichi's post with the links. Relevant bits:

The OpenSSL build is not supported on Linux. Chromium and Google Chrome builds use NSS for SSL on all platforms but Android.


This is OpenSSL, the standard SSL/TLS library, which is used *only* in
the following cases:

- For Chrome/Chromium, only on Android to implement SSL/TLS support
(while certificate validation is performed through the platform APIs),
instead of using NSS as on other Linux-based operating systems.

"Finally Google says it's not trying to replace OpenSSL and that they'll continue to support and donate to the open project as well as exchange bug fixes and security patches going forward"
so they replaced it with their own version but they're not trying to replace it... OK makes sense, no it don't ;P
Using Chrome today is akin to using IE6 way way back, they develop and fork and create these new 'standards' that no one else is using yet and in turn screw up sites in other browsers

They aren't replacing OpenSSL with BoringSSL because they weren't even actually using the former in Chromium, but the point anyway is that BoringSSL is not intended to replace the OpenSSL project (as would be the case with LibreSSL).

Do you even know what you're talking about? SSL IS the standard - but there are many implementations, of which OpenSSL is one. Microsoft code their own implementation of SSL, Google (now) code their own, many other companies code their own - it's only companies that can't afford or won't pay for their own coders (to code a SSL implementation) that use a freely-available implementation to implement SSL on their sites and systems.

dingl_ said,

Using Chrome today is akin to using IE6 way way back, they develop and fork and create these new 'standards' that no one else is using yet and in turn screw up sites in other browsers

Said no web developer ever.

Same goes for any browser. Anything you do on the internet gets logged in some way or another. Google is just one of the very many that mine data.

Kalint said,

Oh yeah what should I use instead, genius?

basically anything except chrome - all the browsers together over the many years of their existence dont have that much privacy, eula and ethical violations

morden said,

basically anything except chrome - all the browsers together over the many years of their existence dont have that much privacy, eula and ethical violations


Wow great answer. Useless.

TCLN Ryster said,
They haven't really just called it BoringSSL have they? <facepalm>

Maybe it's to deter Hackers? "Oh this BoringSSL? Nothing to see here!" :p

TCLN Ryster said,
They haven't really just called it BoringSSL have they? <facepalm>

Well IIRC it is boring, it's OpenSSL with all the stuff they don't need ripped out.

TCLN Ryster said,
They haven't really just called it BoringSSL have they? <facepalm>

The name is not really enticing, but that's what a TLS implementation should be though. Not flashy, exciting or experimental.

ichi said,

The name is not really enticing, but that's what a TLS implementation should be though. Not flashy, exciting or experimental.

Is a hacker argubly more interested in things called like ice cream sandwich :/