Interestingly, seems that the vast majority of responses disagree. 100m+ for "security" is not real value. Free tokens that can be applied to any service (not just AWS) is (potentially) huge and, most importantly, addresses a REAL threat, not just "make security better".
Conversation
IMO AWS showed everyone else up here. Addressed a real problem, helps their direct customers be safe across services, didn't have to spend 100M+ on nothing.
3
4
Replying to
If Google gave money to or something like this, or funded development/donated to critical infrastructure, that's not a bad contribution IMO. Lifting OpenSSL out of its previously underfunded state was a massive boost to everyone's security (for example).
1
Funding insecure infrastructure rather than replacing it with secure infrastructure isn't a long-term solution. It may make things worse rather than making them better.
No amount of funding is going to make OpenSSL into a project focused on security/correctness like BoringSSL.
1
2
I don't think what they intend to do with that money is simply funding critical open source infrastructure. I think they intend for most of it to be used on efforts like the Rust TLS stack they're funding via ISRG.
abetterinternet.org/post/preparing
At least, I hope that's their plan.
2
4
Similarly, see opentitan.org which is an open hardware secure element they could use to replace their Titan secure elements in Pixels and their servers, but available for others too.
Google does fairly aimlessly throw money at projects but has more focused efforts too.
2
5
I don't think funding OpenSSL was good for security in the long-term. It hurt interest, adoption and funding for better replacements. It only delays the inevitable which is that a poorly designed and written security critical component in an unsafe language needs to be replaced.
2
1
Replying to
GnuTLS is dramatically worse than OpenSSL and is actually a trash tier project with no redeeming value or actual use case beyond politics. It's actually terrible, useless software that doesn't even work properly for the basics let alone securely.
1
2
You should read the rest of the thread. BoringSSL is a near/mid-term replacement for OpenSSL that's already available, works well, and has support for more bleeding edge features like HTTP/3 unlike OpenSSL. Rustls is a longer term replacement for it.
1
2
OpenSSL is at least useful... but if you don't need a frozen API, legacy ciphers and legacy hardware support then BoringSSL is a much better library with much nicer APIs and a far more correct/robust/secure implementation. You have to be able to keep up with it though.