Hacker News new | comments | show | ask | jobs | submit login
Make SSL boring again (cloudflare.com)
44 points by hepha1979 10 months ago | hide | past | web | favorite | 9 comments

Why did Cloudflare choose BoringSSL over LibreSSL?


> BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

> Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

As a final note we’d like to thank the BoringSSL developers for the great work they poured into the project and for the help they provided us along the way.

Seems like they are working pretty close together and got something out of the deal as well.

Because after Heartbleed we started to look for a performant alternative to OpenSSL that we felt would be safe for us to use.

But why not LibreSSL?

LibreSSL doesn't provide the features of BoringSSL that we use so would have required a huge amount of work to use.

Interesting, I would think it would be easier to use LibreSSL for this since the OpenBSD folks are so conservative that the modern APIs are likely to be stable. Maybe they want to use more of the legacy APIs that the OpenBSD folks are excising?

TLDR: cloudflare switched from openssl to the Google fork BoringSSL.

They now have out of the box some features they maintained themselves, and have a more stable and maintainable stack.

But they also seem to be supporting some features they previously had out of the box?

Why are we still calling it SSL? It's like saying Telnet whenever you refer to SSH.

Also: it seems like there's no release or commit signing, unless I missed it? So couldn't you just compromise one user, or commit bot, or git repo location, and basically own all TLS that Cloudflare uses, effectively owning like half of the internet?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact