Unless you haven't been on the net for a year, you know Transport Layer Security/Secure Socket Layer (TLS/SSL) software, such as OpenSSL, have had numerous serious security problems. Now, Amazon, is introducing a new TLS implementation: "Signal to noise," s2n.
Stephen Schmidt, Amazon's VP of security engineering, said that Amazon, the number one online retailer in the Americas, uses strong encryption not just on its eponymous sales site, but on its cloud services as well. The multiple OpenSSL problems, such as Heartbleed, Freak, and Logjam, have led to "time-consuming operational events, such as software upgrades and certificate rotations."
So, Schmidt explained:
In order to simplify our TLS implementation and as part of our support for strong encryption for everyone, we are pleased to announce availability of a new Open Source implementation of the TLS protocol: s2n. S2n is a library that has been designed to be small, fast, with simplicity as a priority. s2n avoids implementing rarely used options and extensions, and today is just more than 6,000 lines of code.
This new library is meant to answer an inherent problem with the older open-source encryption programs: Their optional extensions make them very complex. Indeed, "OpenSSL, the de facto reference implementation, contains more than 500,000 lines of code with at least 70,000 of those involved in processing TLS. Naturally with each line of code there is a risk of error, but this large size also presents challenges for code audits, security reviews, performance, and efficiency."
Rather than try to cover all of SSL/TLS's full range of extensions, s2n, with its mere 6,000 lines of code, focuses only on encryption. This means that Amazon is not trying to replace OpenSSL. Schmidt wrote that "Amazon remains committed to supporting [OpenSSL] through our involvement in the Linux Foundation's Core Infrastructure Initiative."
Instead, s2n replaces the functionality of only one of OpenSSL's two main libraries: Libssl, which implements TLS. There is no s2n equivalent to libcrypto, OpenSSL's general-purpose cryptography library. Thus, s2n can take the place of "libssl," but not "libcrypto."
S2n has not been deployed into Amazon software stack yet. It will begin by being integrated into several Amazon Web Services (AWS) services. AWS users and developers will not need to change either how they use or develop in AWS. From their viewpoint, the transition will be transparent.
If s2n continues to live up to its promise in practice, sources at Amazon said it could then be deployed to the retail site.
Want to know more or contribute to the project? The source code, documentation, commits and enhancements are all publicly available under the terms of the Apache Software License 2.0 from the s2n GitHub repository.