After Heartbleed, OpenSSL Is Forked Into LibreSSL

NEWS ANALYSIS: In open-source, when things go wrong, forks happen. The forking of OpenSSL is a direct response to the Heartbleed vulnerability.

Heartbleed bug

The OpenSSL project has come under intense scrutiny in recent weeks due to the Heartbleed vulnerability. While the OpenSSL Foundation has publicly asked for more money to help fuel development, a new option to push OpenSSL forward is now getting started.

In the open-source development model, when disputes happen and one group wants to take a project in a different direction, forks happen and that's what is now occurring with OpenSSL.

The open-source OpenBSD operating system community has now officially forked the OpenSSL code and is building its own version of an open-source cryptographic library called LibreSSL.

The forking of OpenSSL is a direct response to the Heartbleed vulnerability, which was first publicly disclosed April 7. OpenSSL is an open-source cryptographic library used to provide Secure Sockets Layer (SSL) services to Websites and embedded technologies. The Heartbleed flaw could enable an attacker to read data from a server that is vulnerable. It's an attack that has been used against the Canada Revenue Agency, as well as a client of security vendor FireEye.

When the Heartbleed news first broke, I contacted OpenBSD founder Theo de Raadt, who is always a great source for colorful commentary. OpenBSD is an open-source operating system that makes use of OpenSSL and also leads multiple important open-source efforts, including OpenSSH. I was curious about the disclosure process around the Heartbleed flaw, which left hundreds of millions of end users at risk, though somehow a few services, including Google and CloudFlare, did receive advance notice.

"We received no notice," De Raadt told me. "I came back from the pub after meeting someone involved in the local Internet exchange, found out four developers were already working on the errata, I approved their diff for not causing an ABI [Application Binary Interface] breakage, signed the patches, and it shipped."

Now, instead of just waiting for the OpenSSL project to get its act together, OpenBSD is taking matters into its own hands by forking the project and creating LibreSSL. It's still very early days in the LibreSSL effort, and it is currently targeted for inclusion in OpenBSD 5.6, with other operating systems to follow, which I suspect will include both Red Hat and Debian-based flavors of Linux.

According to the LibreSSL project page, the multi-operating system support will happen once there is a stable commitment of funding in place by way of the Canadian not-for-profit OpenBSD Foundation. There already is code that is being actively developed in LibreSSL, and it sure looks like a massive cleanup of OpenSSL.

"We know you all want this tomorrow, we are working as fast as we can, but our primary focus is good software that we trust to run ourselves," the LibreSSL project page states. "We don't want to break your heart."

The LibreSSL project is a great example of why open source is a superior way to develop software. When things don't work, open-source code can be forked, and it can be taken in a different direction. Try that with proprietary code.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.