Google funds Apache web server security project with new Rust component
Google is funding an Internet Security Research Group project to port a crucial component of the bug-prone C programming language Apache HTTP web server project to a more secure alternative called Rust.
The module in question is called mod_ssl and is the module responsible for supporting the cryptographic operations required to establish HTTPS connections to an Apache web server.
The ISRG has announced its intention to develop a new module called mod_tls which will do the same but using the Rust programming language rather than C.
The module will be based on Rustls; an open source Rust library developed as an alternative to the C-based OpenSSL project.
To lead this work, the ISRG leadership hired Stefan Eissing, the founder of software consulting firm Greenbytes, and one of the Apache HTTP Server code maintainers, to lead the mod_tls project.
The ISRG hopes that once their work is done, the Apache HTTP web server team will adopt mod_tls by default and replace the aging and less secure mod_ssl component.
A fast way to secure billions of users
According to W3Techs, Apache HTTP web server is the best current web server technology, used today by 34.9% of all websites with known web server technology.
“Apache httpd is still a critically important piece of infrastructure, 26 years after its inception,” said Brian Behlendorf, one of the creators of the Apache web server.
“As the original co-developer, I think a serious overhaul like this has the potential to protect a lot of people and keep httpd relevant for the future. “
Over the past few years, Rust has grown into one of the most popular programming languages. [1, 2].
Developed with a sponsorship from Mozilla, Rust was created to create a versatile, low-level, and more secure programming language to use as an alternative to C and C ++.
Unlike C and C ++, Rust was designed as a secure-memory programming language, with protections against memory management issues that often lead to dangerous security vulnerabilities.
Memory security vulnerabilities have dominated the security arena for the past decades and have often led to issues that can be exploited to support entire systems, from desktops to web servers, and smartphones to devices. IoT.
Microsoft said in 2019 that the percentage of memory security issues fixed in its software hovered around 70% of all security bugs in the past 12 years.
In 2020, Google echoed the same number when the Chrome team said that 70% of the bugs fixed in their web browser were memory issues as well.
Google and Microsoft are currently experimenting with using Rust in Chrome and Windows. Microsoft has even gone so far in its recent experiments that it created a brand new Rust-like derivative programming language called Verona, which it recently opened on GitHub.
With statistics like this from Google and Microsoft, and with nearly two-thirds of all websites now redirecting to HTTPS, porting the mod_ssl module from Apache to Rust is a quick and easy way to keep billions of dollars safe. users in the years to come.