The Internet Security Research Group, the organisation behind Let’s Encrypt, has announced that it’ll be making the Apache HTTP Server implementation of httpd more secure by incrementally moving core components from C to Rust to address memory safety issues. First, work on a new TLS module for httpd, called mod_tls, will be re-written using the Rustls library in place of OpenSSL.
The ISRG’s Josh Aas said that he hopes the new mod_tls will someday replace mod_ssl that httpd currently uses as the default. The ISRG has secured funding from Google to contract Stefan Eissing – an httpd committer – to write the new module in Rust.
The ISRG has decided to look at httpd because it is used on hundreds of millions of websites every day to serve requests. By fixing issues with it, the security improvements will have a broad impact. The most common types of issues affecting httpd are memory safety issues which arise due to the use of the C programming language being used to write the software. In the last decade, the Rust programming language has matured and by default only lets you compile memory-safe programs; by writing httpd components in this language you eliminate a whole host of vulnerabilities.
Commenting on the role of C and Rust, ISRG’s Josh Aas said:
“We currently live in a world where deploying a few million lines of C code on a network edge to handle requests is standard practice, despite all of the evidence we have that such behavior is unsafe. Our industry needs to get to a place where deploying code that isn’t memory safe to handle network traffic is widely understood to be dangerous and irresponsible. People need memory safe software that suits their needs to be available to them though, and that’s why we’re getting to work.”
One of Apache httpd’s founders, Brian Behlendorf, also commented on the project saying:
“Apache httpd is still a critically important piece of infrastructure, 26 years after its inception. As an original co-developer, I feel a serious revamp like this has the potential to protect a lot of people and keep httpd relevant far into the future.”
The ISRG’s Let’s Encrypt project has already made a huge impact on the internet, ensuring that more sites can offer HTTPS connections to their users which provides a more secure experience.