Amazon just wrote a TLS crypto library in only 6,000 lines of C code
At 1/10 the size of OpenSSL, it should be easier to spot bugs
Amazon Web Services has released a new, open source library that implements TLS encryption – the standard behind the secure HTTPS web protocol – using far less code than the prevailing OpenSSL library.
Dubbed s2n for "signal to noise," the new library comprises just over 6,000 lines of C code. By comparison, OpenSSL consists of more than 500,000 lines of code, with around 70,000 of them devoted to TLS alone.
"Naturally with each line of code there is a risk of error, but this large size also presents challenges for code audits, security reviews, performance, and efficiency," AWS chief security officer Stephen Schmidt said in a blog post announcing s2n.
By implementing TLS from scratch in a leaner library that leaves out "seldom used options and extensions," AWS hopes to make it easier to spot and address security vulnerabilities in the code.
Schmidt said AWS has already had outside agencies run three security evaluations and penetration tests on s2n, and it plans to continue the practice.
The security of the OpenSSL project has been under close scrutiny since 2014, when it was revealed that a bug known as the Heartbleed vulnerability could allow attackers to eavesdrop on ostensibly secure communications.
Several other critical vulnerabilities have been spotted in OpenSSL since the Heartbleed disclosure, and although a number of organizations have pitched in funds to audit and improve the code, some developers have suggested that the library is so large and complex that it might be better to start over.
The s2n library isn't a replacement for OpenSSL, though. It only implements the TLS protocol and not the algorithms that handle the actual encryption. Schmidt said Amazon will continue to support the development of the OpenSSL cryptography library via the Linux Foundation's Core Infrastructure Initiative.
Over the next few months, however, Amazon plans to switch several AWS services to use s2n instead of OpenSSL for their TLS functions.
"TLS is a standardized protocol and s2n already implements the functionality that we use, so this won't require any changes in your own applications and everything will remain interoperable," Schmidt said.
AWS has released s2n under the Apache 2.0 open source license and the code is available from the project's GitHub repository. ®