Logo: Apache Software Foundation // Composition: ZDNet
Google is funding a project at the Internet Security Research Group to port a crucial component of the Apache HTTP web server project from the bug-prone C programming language to a safer alternative called Rust.
The module in question is called mod_ssl and is the module responsible for supporting the cryptographic operations needed to establish HTTPS connections on an Apache web server.
The ISRG says it plans to develop a new module called mod_tls that will do the same thing but using the Rust programming language rather than C.
The module will be based on Rustls; a Rust open-source library developed as an alternative to the C-based OpenSSL project.
To lead this work, the ISRG management has contracted Stefan Eissing, the founder of software consultancy firm Greenbytes, and one of the Apache HTTP Server code committers, to lead the mod_tls project.
ISRG hopes that once their work is finished, the Apache HTTP web server team will adopt mod_tls as the default and replace the aging and more insecure mod_ssl component.
A quick way of securing billion of users
According to W3Techs, the Apache HTTP web server is today’s top web server technology, used today by 34.9% of all the websites whose web server technology is known.
“Apache httpd is still a critically important piece of infrastructure, 26 years after its inception,” said Brian Behlendorf, one of the Apache web server creators.
“As an original co-developer, I feel a serious revamp like this has the potential to protect a lot of people and keep httpd relevant far into the future.”
Over the past few years, Rust has become one of the most beloved programming languages around [1, 2].
Developed using a sponsorship from Mozilla, Rust was created to create a safer-to-use, low-level, multi-purpose programming language as an alternative to C and C++.
Unlike C and C++, Rust was designed as a memory-safe programming language that comes with protections against memory-management issues that often result in dangerous security flaws.
Memory-safety vulnerabilities have dominated the security field for the past decades and have often led to issues that can be exploited to take over entire systems, from desktops to web servers and from smartphones to IoT devices.
Microsoft said in 2019 that the percentage of memory safety issues patched in its software had hovered around 70% of all security bugs for the past 12 years.
In 2020, Google echoed the same number when the Chrome team said that 70% of the bugs patched in its web browser were also memory-related issues.
Both Google and Microsoft are currently running experiments with using Rust in both Chrome and Windows. Microsoft has even gone so far in its recent experiments as to create a whole new Rust-like derivate programming language called Verona, which it recently open-sourced on GitHub.
With such statistics from both Google and Microsoft, and with almost two-thirds of all entire websites now redirecting to HTTPS, porting Apache’s mod_ssl module to Rust is a simple and fast way of making sure billions of users are kept safe in the coming years.
