ISRG to replace Apache-httpd C components with Rust for security reasons

Spread the love

The Internet Security Research Group will replace components of Apache HTTP Server implementation httpd to make the web server more secure. The code goes from C to Rust to prevent memory bugs.

The project is funded by Google and led by the ISRG, the same organization behind Let’s Encrypt’s SSL certificates. The project aims to make httpd more secure by transferring key components piece by piece from C to Rust, the organization writes. The first step is a new module called mod_tls, which should replace the current mod_ssl. That is the default in httpd. The new module is built with the Rustls library for tls, instead of OpenSSL. “We hope mod_tls will one day replace mod_ssl,” the developers write.

In the future, other modules should also be replaced by modules written in Rust. A specific timeline is not yet known for this. According to the organization, C as a development language is insecure in terms of memory. The developers refer to a list of bugs in Apache, where memory bugs are common.

Rust, the language designed by Mozilla, would be much better suited for that. The problem is that Apache is already 26 years old and therefore uses many old components. “It is very difficult to completely convert httpd to Rust in one go. Fortunately, we can incrementally solve the security problem in httpd memory,” writes the ISRG.

You might also like
Exit mobile version