Document Actions

NCC Group to audit OpenSSL for security holes

ZDNet OpenSSL, arguably the world's most important Web security library with its support for Secure Sockets Layer (SSL) and Transport Layer Security (TLS) in such popular Web servers as Apache and Nginx, has had real trouble. First, there was HeartBleed and more recently there is FREAK. It's been one serious security problem after another. Now, the NCC Group, a well-regarded security company, will be auditing OpenSSL's code to catch errors before they appear in the wild.

This is being paid for by the Linux Foundation's Core Infrastructure Initiative (CII). The CII was set up to pay for essential, but woefully underfunded, open-source projects such as OpenSSL, theNetwork Time Protocol (NTP), and OpenSSH.


Thomas Ritter, a principal security engineer at NCC, told me in an e-mail that, "We're excited to announce that as part of the Linux Foundation's Core Infrastructure Initiative, and organized by the Open Crypto Audit Project, Cryptography Services will be conducting an audit of OpenSSL. This is an amazing opportunity to dive deeply into one of the pieces of software that so much of the world relies on, and we're honored to have been chosen to conduct it."


It's long been known that the OpenSSL code would be audited but there have been no details. In short, no one had answered the question. Now we know.