OpenSSL Project publishes roadmap to counter criticism

The project plans to implement code reviews, fix poor coding and have better documentation

By , IDG News Service |  Security

The OpenSSL Project is planning a number of changes to ensure its security component, used across millions of computers across the Internet, is in tip-top shape.

OpenSSL is an open-source code library that encrypts communications between a computer and a server using SSL/TLS (Secure Sockets Layer/Transport Layer Security). It is a fundamental defense for keeping e-commerce transactions, email and other data unreadable if the traffic is intercepted.

Confidence in OpenSSL was shaken in April after a two-year-old software vulnerability called "Heartbleed" was discovered that could allow an attacker to decrypt intercepted traffic or obtain data such as logins and passwords from servers.

The project has since come under heavy scrutiny, with critics noting the project was meagerly funded and staffed despite OpenSSL's wide use in a variety of software.

OpenSSL's roadmap is intended to counter the view that it is "slow-moving and insular," according to a post on the project's website.

Among the ongoing problems that the project plans to fix are a lack of code reviews, an inconsistent coding style, poor documentation, no platform strategy and no regular release cycle, according to the roadmap.

The group also plans to look at a large number of issues raised in its bug tracking system, many of which have never been reviewed.

Frustration with the OpenSSL Project led to the launch of a fork of the project called LibreSSL, which has been fixing bugs and rewriting bumpy parts of the OpenSSL code.

Google also announced it is developing its own fork of the software called "BoringSSL" that is more appropriate for its own projects. The company plans to strip out unneeded APIs (application programming interfaces) and ABIs (application binary interfaces) included in OpenSSL.

Google said it planned to share information on bugs it finds with LibreSSL and the OpenSSL Project.

Major technology companies also realized the need to shore up the OpenSSL Project, which the companies will support under the Core Infrastructure Initiative, a project designed to aid underfunded but important open-source projects.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

SecurityWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question
randomness