Students tackle OpenSSL issues to help keep the internet encrypted
Students tackle OpenSSL issues to help keep the internet encrypted
https://www.rit.edu/news/students-tackle-openssl-issues-help-keep-internet-encrypted
Publish Date: 2026-05-26 10:37:00
Source Domain: www.rit.edu
Using an unordered list, summarize the following article with between 4 and 8 key points.
As part of a cybersecurity course, RIT students are helping ensure that internet communications stay secure.
For three semesters, students have been patching issues with OpenSSL—a free and open-source library and toolkit that provides encryption for computer networks. Many of the student’s submitted code changes have been merged into the critical library that powers about two-thirds of all websites and internet servers.
“OpenSSL is kind of the backbone of the internet and even if you didn’t know about it, you’ve most likely used it to protect data when accessing a website,” said Jose Luis Gonzalez, a fourth-year cybersecurity major, who took the course. “It’s really rewarding and cool to know that I’ve contributed to it.”
RIT Professor Billy Brumley teaches the Open Source Software Security course. For the main class project, students find open issues on OpenSSL’s GitHub and write code that could be integrated into the system. At any time, there are more than 1,000 open reported issues on OpenSSL that anyone can help fix.
Brumley, the Kevin O’Sullivan Endowed Professor in Cybersecurity, said he has built his industry and research career on OpenSSL. He’s also part of the Business Advisory Committee with OpenSSL.
OpenSSL started in 1998 as a transparent and universally accessible infrastructure for internet security. Today, major technology, financial, and infrastructure companies—including Google, Amazon, Microsoft, Cisco, and Meta—rely on OpenSSL for secure communication.
In 2014, OpenSSL went through reform after being the subject of one of the largest security flaws in internet history. It was called Heartbleed and it allowed hackers to silently extract passwords, private cryptographic keys, and other sensitive data from server memory.
“Early in my career, I enjoyed offensive security and finding vulnerabilities—like many students,” said Brumley. “I thought I could report a problem and someone would just magically fix it. But realistically, knowing how to fix things yourself is equally as important for security professionals.”
Brumely said many students are aware of OpenSSL but have never used it. He explained that addressing pull requests is a good way for students to prepare for industry and to learn C—an older programming language that is often still used in healthcare and infrastructure due to its stability.
How student code helps test security
“At first, the idea of working on OpenSSL was daunting,” said Gonzalez, who is completing a Combined accelerated BS/MS degree option in cybersecurity.
His team identified an issues worth looking into. His task was to create a regression test to the codebase that could run whenever certain changes are made to OpenSSL.
“When you encounter a troublesome issue, it’s important to have a test for it so you know the problem isn’t happening again,” said Gonzalez. “You don’t want new updates to reintroduce the issue.”
For Gonzalez, the two-and-a-half-month experience was a learning process. First, he figured out the design, programmed the test, and sent it in for review by an OpenSSL team. After several back and forths to solve crashing issues, spelling mistakes, and cleaning up code to be consistent with the repository, his work was integrated.
“Now, every time someone pushes a new change, the test I wrote is going to run,” said Gonzalez. “It’s really rewarding that my contribution is going to persist through.”
This year, 20 pull requests from the RIT class were merged. Brumley said around 60 projects have been merged by RIT students throughout all his courses. As a thank you, OpenSSL sent swag for the students.
Gonzalez is now completing an internship as a security engineer at Amazon. He said that he wears his OpenSSL T-shirt around the office in Austin, Texas and it’s a nice conversation starter. It’s also good for his résumé and he hopes to contribute again someday.
Brumley will be teaching the course again during the Fall 2026 semester. In the future, he also hopes to set up co-ops with the OpenSSL Corp.
