OpenSSL Nearly Ripped The Internet Apart … So Meet Google Tink
After Heartbleed there were some serious questions asked of OpenSSL. How could something so fundamental to the security of the Internet to allows to be run from old code? How could a library that was so important to trust on the Internet be maintained by just a few part-time people? How can we link our cryptography into Cloud-based key management?
The Legacy of OpenSSL
OpenSSL is commonly used by Linux-based servers to implement the SSL/TLS connection, and bugs are common. While zero-days and critical bugs are not as common as they were in the past, two were published recently.
OpenSSL was started with Eric A Young and Tim Hudson, in Dec 1998, who created the first version of OpenSSL (SSLeay — SSL Eric AYoung). This became Version 0.9.1. Eric finished his research and left to go off to go off to Cryptsoft (www.cryptsoft.com) and then joining RSA Security, where he is currently a Distinguished Engineer [here]. After Eric left, it was then left to Steve Marquess (from the US) and Stephen Henson (from the UK) to continue its development through the OpenSSL Software Foundation (OSF).
The code continued to grow with TLS support added to 1.0.1a on 14 March 2012. Unfortunately, a bug appeared on 1 Jan 2012 which implemented the Heartbeat protocol (RFC…
