The Internet Security Research Group has announced that Google has provided funding for Rust developer Dirkjan Ochtman to make improvements to Rustls, a memory-safe alternative to OpenSSL. This funding is linked to the news we reported back in February that the ISRG will be making Apache HTTP Server’s implementation of httpd more secure by using Rustls in its components.
According to ISRG, many SSL/TLS libraries have a long history of security issues due to them being written in C. By using Rust for Rustls, the developers can ensure that the code is memory-safe which will reduce the number of security issues significantly.
Commenting on the news, Dan Lorenc, a security software engineer at Google, said:
“We all depend on open source software to build the fabric of the internet and so we all have a responsibility to protect and sustain these technologies so that innovation can continue to flourish. Supporting ISRG and Dirkjan’s work on Rustls is one important step in that direction and we invite others to join us in building a safer internet.”
Ochtman will be making several improvements to Rustls when he gets started including:
- Enforce a no-panic policy to eliminate the potential for undefined behavior when Rustls is used across the C language boundary.
- Improve the C API so that Rustls can even more easily be integrated into existing C-based applications. Merge the C API into the main Rustls repository.
- Add support for validating certificates that contain IP address in the subject alternate name extension.
- Make it possible to configure server-side connections based on client input. These improvements should make Rustls a more attractive option for many projects.
As the ISRG begins to port more important online infrastructure over to Rust, the security vulnerabilities linked to C and other memory-unsafe languages should start to decrease ultimately leading to greater security for users.