Tuesday, 26 April 2016

Open Source Project Proposal: Ada Transport Level Security (TLS) module [Draft]

The Problem

The security of web-sites underpins much of the world's on-line economy. Breaches to it, and potential flaws in implementations of it, are a substantial risk to many organisations, in many countries.

There has already been a famous vulnerability found, and repaired, in the OpenSSL implementation, but there are many closed-source implementations that may still have similar, or more severe, vulnerabilities, or that may be compromised in other ways.

One of the reasons for these vulnerabilities has been the implementation of the solutions to TLS in languages such as c, which is an inherently insecure language, and a language that it is difficult to prove, verify or to correct.

The Proposal

To establish a team, or Ada and security experts, to produce a TLS solution, written in Ada for, in the first instance, servers. This solution would provide an API that could be used with, for example, Apache.

Once this solution had been tested, proved and deployed successfully, the solution would be extended to the client side, so that browsers, such as Firefox could use it.

Funding

The proposal depends on the team being paid for the work, and for enhancements also to be paid.

Ideally this would first come from a grant, or grants. Bodies that might wish to provide funds for such grants could include OpenSSL (www.openssl.org), the EU (https://www.enisa.europa.eu ), the Digital Governments Initiative, D5 London (UK, South Korea, Estonia, Israel and New Zealand https://www.gov.uk/government/topical-events/d5-london-2014-leading-digital-governments ), the British Banking Association (BBA), and many others.

Long term funding would come from income. The produce would have dual-licensing. Free open source to individuals, and open source projects, such as Mozilla, but commercial licensing to organisations such as Apple.

The Requirements

The project, to be a success must comply with these requirements 

  • Satisfy TLS 1.2 and 1.3
  • Be designed to provide general transport layer security
  • Be compatible with existing TLS apis
  • Ensure highly secure design
  • Establish a method to verify a server is running a particular version
  • Ensure code is easy to maintain
  • Use Ada not just as the language, but as an example of good, secure, reliable and fast open source Ada

Provisional timeline

Funding applications: May-August 2016
Team Recruitment: September 2016
Design: September-October 2016
Coding: November-December-January 2016
Testing: February-March 2017
Beta with customers: April-May 2017
Full Release: September 2017


Next Steps

Please comment on this blog if you have any suggestions for improvements to this draft, or write to peter.brooks@service-governance.org




















Posted by at 6 comments:
Subscribe to: Posts (Atom)