Considering how widely it's used, if Google could use some of their resources to...

Shish2k · on April 10, 2014

Considering how widely SSL is used, and the resources of Google, I wonder if they could come up with their own encryption toolkit? How hard can it be for a company the size of Google to create a library that lives up to eg SQLite's quality standards?

plorkyeran · on April 10, 2014

Fix OpenSSL, and everyone that currently uses OpenSSL benefits. Create a new library that's clearly better than OpenSSL, and ten years later there will still be important things that still haven't switched.

thrownaway2424 · on April 10, 2014

Google has already written and released a complete crypto stack for Go. Where you restricting your comments to C/C++ implementations?

richm44 · on April 10, 2014

The last time I looked at it the go stack was very weak compared to any of the mature C SSL stacks. IIRC it only took me a few minutes to find a security bug (which I reported and is now fixed) that I'd reported against various browsers several years earlier. In short, I highly doubt the go SSL stack is production ready.

thrownaway2424 · on April 11, 2014

The above questioner didn't ask whether it was any good, only whether Google could write and release one.

Raphael · on April 10, 2014

Good point. Though it only claims to "partially implement TLS 1.2". http://golang.org/pkg/crypto/tls/

danudey · on April 10, 2014

I would say that Joel Spolsky answers this quite well:

http://www.joelonsoftware.com/articles/fog0000000069.html

What would be interesting to see is a fork of OpenSSL with the intention of cleaning up the code, removing abstractions where they are unnecessary and adding them where they are, and adding a comprehensive test suite to ensure correct behaviour wherever possible.

chc · on April 10, 2014

The real question is, how hard can it be to do that while starting with OpenSSL compared to starting from scratch?