Amazon releases new, easily auditable TLS implementation
A new, open source implementation of the TLS encryption protocol has been unveiled by Amazon Web Services.
Dubbed s2n (shorthand for “signal to noise”), the library doesn’t implement rarely used options and extensions, meaning its size – currently some 6,000 lines of code – is much, much smaller than that of OpenSSL, currently the most widely used open source implementation of the SSL and TLS protocols, which contains more than 500,000 lines of code.
“s2n is a library that has been designed to be small, fast, with simplicity as a priority,” AWS CISO Stephen Schmidt explained. Also, one of the main reasons for keeping its size small was to make auditing of the code more manageable.
“We have already completed three external security evaluations and penetration tests on s2n, a practice we will be continuing,” he pointed out.
The plan is to review the code on an annual basis. And trusted members of the cryptography, security, and open source communities have looked at it and will hopefully continue to do it.
Still, it’s a bit unfair to compare the sizes of s2n and OpenSSL.
“OpenSSL provides two main libraries: ‘libssl’, which implements TLS, and ‘libcrypto,’ which is a general-purpose cryptography library. Think of s2n as an analogue of ‘libssl,’ but not ‘libcrypto’,” Schmidt clarified, adding that they will still continue to support OpenSSL by remaining involved in the Linux Foundation’s Core Infrastructure Initiative.
s2n is open source, and the code and accompanying documentation can be had from GitHub. The project repository also includes details about the library’s features and the considerable safety mechanisms it employs.
In the last year or so, major bugs have been discovered affecting OpenSSL, which resulted in the Core Infrastructure Initiative organizing an OpenSSL audit, as well as the OpenBSD team and Google forking it.
AWS has obviously decided to start from scratch.
“Over the coming months, we will begin integrating s2n into several AWS services. TLS is a standardized protocol and s2n already implements the functionality that we use, so this won’t require any changes in your own applications and everything will remain interoperable,” Schmidt reassured users.