Google is funding a project by the Internet Security Research Group to move a crucial component of the Apache HTTP web server project from the bug-prone C programming language to a more secure alternative called Rust.
The module in question is called mod_ssl and is the module responsible for supporting the cryptographic operations needed to establish HTTPS connections on an Apache web server.
ISRG says it plans to develop a new module called mod_tls which will do the same but using the Rust programming language rather than C.
The module will be based on Rustls; an open source Rust library developed as an alternative to the C-based OpenSSL project.
To lead this work, ISRG management hired Stefan Eissing, the founder of software consulting firm Greenbytes, and one of the Apache HTTP Server code committers, to lead the mod_tls project.
The ISRG hopes that when their work is complete, the Apache HTTP Web Server team will adopt mod_tls as default and replace the aging and less secure mod_ssl component.
A fast way to secure billions of users
According to W3Techs, Apache HTTP web server is the most widely used web server technology today, used today by 34.9% of all websites with known web server technology.
“Apache httpd is still a critically important piece of infrastructure, 26 years after its inception,” said Brian Behlendorf, one of the creators of the Apache web server.
“As the original co-developer, I think a serious overhaul like this has the potential to protect a lot of people and keep httpd relevant far into the future.”
Over the past few years, Rust has become one of the most popular programming languages. [1, 2].
Developed with sponsorship from Mozilla, Rust was created to create a general-purpose, low-level, safer-to-use programming language as an alternative to C and C++.
Unlike C and C++, Rust was designed as a memory-safe programming language, with protections against memory management issues that often lead to dangerous security holes.
Memory security vulnerabilities have dominated the security arena for decades and have often led to issues that can be exploited to take over entire systems, from desktop computers to web servers and smartphones to IoT devices.
Microsoft said in 2019 that the percentage of memory security issues fixed in its software had hovered around 70% of all security bugs over the past 12 years.
In 2020, Google echoed the same number when the Chrome team said that 70% of bugs fixed in its web browser were also memory-related issues.
Google and Microsoft are currently experimenting with using Rust in Chrome and Windows. Microsoft has even gone so far in its recent experiments that it has created a whole new Rust-like spin-off programming language called Verona, which it recently made open source on GitHub.
With such statistics from Google and Microsoft, and with nearly two-thirds of all entire websites now redirecting to HTTPS, porting Apache’s mod_ssl module to Rust is a quick and easy way to keep billions of people secure. users in the years to come.