I discuss all things OpenSSL with Hana Andersen and Anton Arapov from the OpenSSL Corporation. Discover the intricacies of organizing the first-ever OpenSSL conference in Prague, the importance of post-quantum cryptography, and the evolution of OpenSSL from a small team to a global community. Whether you’re a seasoned cryptographer or just curious about the future of secure communications, this episode offers insights and stories. Don’t miss out on learning how OpenSSL is still shaping the future of cryptography.

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Episode Transcript

Josh Bressers (00:00) Today, Open Source Security is talking to Hana Andersen the marketing and communications manager at the OpenSSL Corporation, and Anton Arapov the director of operations at the OpenSSL Corporation. And you both are here, partially because I want to understand more about OpenSSL and the structure of everything, but also you have a conference coming up, which is extremely exciting and a lot of work. So I will let, let’s pick on Hana first, because I read her name first. So Hana, why don’t you give us like a little intro?

Hana Andersen (00:27) is.

Josh Bressers (00:29) and tell us why you’re here.

Hana Andersen (00:32) So I’m here to invite everyone to Prague to attend the first ever OpenSSL conference, which is co-organized by the OpenSSL Corporation and the OpenSSL Foundation. And it is happening next month in October from the 7th to 9th. We invite everyone for three days packed with the 80 plus speakers, four meeting rooms, two networking events. ⁓

you know, connected with the Czech history of the beer and also the cruise on the Vltava river. So that’s basically, yeah, everyone is welcome. And we would like to really see not only our customers, our community members, but everyone who is interested in the cryptography and post quantum in OpenSSL, even though it’s called OpenSSL conference, it’s not only about the OpenSSL. So.

And it is the first ever, however, not the last. We would like to have it as an annual event and we are going to stay in Europe. are going to rotate, you know, we are going to move from country to country. So next year I’m not going to reveal it because then, you know, it will not be a surprise.

Josh Bressers (01:49) Awesome, awesome. Yes, and I will get to your agenda in a little bit, but it is amazing. All right, Anton, why don’t you tell us who you are and why you’re here?

Hana Andersen (01:53) Mm.

Anton Arapov (01:58) I’m an operations director at OpenSSL Corporation, as you noted, and ⁓ I’m here mostly to talk about a conference, but I’m open to answer any other question. The one thing I wanted to add to what Hana already told is that we’re also trying to get at the conference not just an engineering crew, but also people who are the business leaders, people who are taking care about the compliance of their work.

and also policymakers. So we will have people from European Commission, for example, we will have a bunch of lawyers and panel discussions. So I think it is an interesting place where you can meet ⁓ pretty much everyone who is involved in one way or another way, from the start, from the development of the cryptographic algorithms up to the really, really end, to the policymaking end and be a part of it.

Josh Bressers (02:51) For sure. Okay, I’ll start with the obvious question. I am not a smart person. OpenSSL feels like something for smart people. What is your kind of take on that if I say, I’m not smart enough to go to the OpenSSL conference.

Anton Arapov (03:10) I’ll do you an visitor.

Hana Andersen (03:10) would say it

doesn’t matter because ⁓ it is really for everyone. We would like to have the wide audience from the students who have the basic knowledge of the cryptography to the deeper knowledge based ⁓ presentation. So everyone can really choose what they feel like it is appropriate for them and learn and get inspired, let’s say.

Anton Arapov (03:38) I will tell you more. mean, for me, conferences were never like a place where you gather the experts for experts. It’s a place where you can learn things. So this is where the experts can speak your language and speak in a way you would understand. I mean, we don’t do, and the other conference I was at, were never like a talk where you need a level of expert to understand what they’re talking about.

Hana Andersen (03:45) Mm.

Anton Arapov (04:06) So it is very, acceptable, accessible.

Josh Bressers (04:10) You say that, but you’ve got DJB on your schedule. So I have a suspicion that one will be complicated. But that talk actually, if I was at the show, that is that would be number one on my list to go to. I unfortunately won’t make it, but this is OK. This is cool. OK, so like let’s just talk about your agenda. So you mentioned there’s there’s all different levels. I feel like when I look at your agenda, the theme of the year would be post quantum cryptography.

And like, what does that mean? Why do we keep seeing all these post-quantum cryptography talks? And why should I care?

Anton Arapov (04:44) And it’s very, very important. I mean, it’s important for everyone who is doing business with the government, with the military, and et cetera. You may know that any regulations from both North America and Europe, they require to have a cryptography, like post-quantum ready cryptography ready by 2030. It’s not that far away. So that’s why.

Josh Bressers (05:09) For sure, and it should also be noted, I, actually Anton and I both worked at Red Hat for a decade, long ago, but when you make changes to a library like OpenSSL, this isn’t a, let’s just upgrade OpenSSL and we’re done, right? This takes like literally decades to get the algorithms in place, to get the software in place, to get people to adopt the software. It is an absolutely bananas process.

Anton Arapov (05:35) When someone thinks about the cryptography and what library to use, or if they’re of thinking right now to develop their own library, it takes decades from the point you will start creating something to the point when people trust you, that you trusted library, that they can rely on you and…

And everything like along this time, along this line, sorry. And yeah, what else?

Josh Bressers (06:05) Okay, so I wanna dwell on the conference a little longer, but I also wanna get to some of the structure of OpenSSL, because I think that is a fascinating topic in itself. So Hana, I wanna ask you, you are in charge of wrangling the cats, right, so to speak. I know what creating a conference and dealing with this is like, so I’m just curious, tell me about the process, kind of start to finish, because I feel like an OpenSSL conference is…

Anton Arapov (06:05) I

Josh Bressers (06:33) It’s niche, right? I mean, compared to a lot of other conferences where a lot of security conferences are very broad, a lot of tech conferences are very broad, but you’re really kind of focused on a very specific topic. It’d be at OpenSSL or encryption, however you want to put it. like, talk about that. What are the challenges?

Hana Andersen (06:38) Hmm.

Yeah, but not, not, not

only, would say that it’s not, ⁓ as niche as you think it is as, as we said, it is called OpenSSL conference because we are the OpenSSL. However, we would really like to have more topics, not only, and we have more topics, not only about the OpenSSL. So this is, this is the key thing. And yeah, the idea was, I think, ⁓ that when

When it happened, Anton, when you had some face-to-face meeting and you played that money splash and if you had a million, then what would you do with that? And one of the ideas was like, let’s say, let’s organize the OpenSSL conference, right? So yeah, it basically you need a year if you start something from the scratch. And it’s not easy when you don’t have any content, when you don’t have any…

marketing material where you can show the value, you know, what do you expect. So we have to, we have to really build something and we are really thankful that all these speakers who submitted the talks and are ready to come, that they are building something together with us and we are establishing something what will last hopefully many years, as I said, annual event from now on.

So it is a big thing also for the partners, right? Convince them that they should invest some money to be a sponsors. They don’t know what they’re going to get. And yeah, but we hope that we combined all the aspects and the location, which is the heart of Europe, as they call the Czech Republic. And also it’s because yeah, majority of the, of the team is now based in Czech. So that’s basically why we are here now.

focusing on Prague conference. And we also, would say also with that the focus is to get that kind of audience between 400 to 500 is also that really whoever you meet in the corridor of the hotel you will see okay this is the conference person, right? So we want to have it as a not a huge event where you’d see the faces you are not familiar with.

So that should be also really like a year gathering where friendships will become or start.

Josh Bressers (09:16) Yeah, for sure. And I don’t remember if we said, I think we said this at the beginning, but it’s in Prague, Czech Republic, which is a lovely location. And the beer is phenomenal, having been to Czech many times. Yes.

Hana Andersen (09:22) Yes, yes, exactly.

Beers cheaper than water.

And the theme for the conference, I would say, if you look at the webpage of our conference, that’s the robot. it is because the Carl Csapek, who is the author, a Czech author, he wrote a book and he used the robot in his book. So that’s why we chose that. And all the graphic is from that, like in that theme.

Josh Bressers (09:54) Awesome, awesome, I love that. Okay, and I also want to follow up. So this conference is in like a month. So that’s a pretty short runway for a lot of people who might be interested. Three weeks from now. Well, and this is coming out after the day we record. So it might be even closer by then. However, you said you’re planning the conference for next year. So for anyone who missed this year, you obviously have a call for papers that’ll be coming up at some point.

Hana Andersen (10:03) free weeks.

Ha

Mm-hmm.

Josh Bressers (10:19) as well as the actual conference and announcements. So if this is something we’re interested in and we can’t make it to Prague in three weeks, what like, when should we keep an eye out for the next call for papers and announcements and things like that?

Hana Andersen (10:34) Well, we’ll definitely announce the conference, the next year conference ⁓ during the Prague conference. That’s for sure. We will have the dates and the location. So I hope that you will hear from us basically at the end of October, beginning of November.

Josh Bressers (10:41) Nice.

Awesome, good deal, very cool. So yes, for anyone who missed it, know, be glad, it’s coming back. So that’s awesome.

Hana Andersen (11:01) Yes,

and I will just reveal that it’s going to be again October 2026 and we stay in Europe.

Anton Arapov (11:07) Yeah, Josh, one more thing. ⁓ Even when the show will be available online, people will be looking at it maybe it will be just a few days from a conference and the people are interested ⁓ and we are interested in these people as well, I guess, because we would like people who want to go and talk security. And yeah, I want these people just to not hesitate.

reach out to Hana reach out to me, reach out to OpenSSL in general. So we may figure out or do some magic to get these people on board.

Josh Bressers (11:39) Awesome. Yes, that’s very exciting. ⁓ I love this kind of stuff. ⁓ It’s so nerdy, but it’s so much fun too. I’m like an armchair cryptographer. I’m smart enough to never roll my own, but it’s just such a fascinating topic. And man, your schedule, I cannot emphasize this schedule. If you don’t know a lot about cryptography, this is like the who’s who of what’s going on right now in the crypto world, which is like phenomenal. And I love that so much.

Anton Arapov (12:06) So, Josh, you might want to reconsider and come to the conference. Change your plans.

Hana Andersen (12:10) Mm.

Josh Bressers (12:12) you gotta get that past my wife, Anton.

Hana Andersen (12:15) Well, she can come with you then. Yeah, exactly.

Anton Arapov (12:16) You can teach me.

Josh Bressers (12:18) She is a school teacher. So no, that definitely would not be happening. But yes, she would absolutely adore Prague. She’s never been and it’s a lovely place. Okay. All right. I want to switch gears a little bit because I do not fully understand the like spider web of connections in the groups involved here because there’s OpenSSL, the software we think of there’s something called the OpenSSL foundation. You two work for the OpenSSL corporation.

Anton Arapov (12:20) yeah.

Hana Andersen (12:21) Mm.

Josh Bressers (12:47) And there’s the OpenSSL conference that somehow, so like, help me untangle this. I don’t even know where to start on this one.

Hana Andersen (12:48) Yes.

Anton Arapov (12:56) It is, in a sense, it is easy. OpenSSL has, let’s say there is an OpenSSL project to it as well. So OpenSSL project had two entities in the past and it was a foundation, a non-profit entity and corporation, which is a not-for-profit entity. And whatever work a project was doing for commercial customers, we were having a contract through the OpenSSL corporation.

In the past, we didn’t differentiate these companies because it was the same set of people. And as I mentioned earlier, we did splits so that we have a better focus on a commercial side and non-commercial. So right now we have people who are focused on the commercial things like Hana and me here. And we also taking care of the ⁓ conference. It’s mostly Hana takes care about the conference.

But ⁓ it’s also a foundation site as well. So we do have foundation people at the conference. also help and contribute to the organization and topics. ⁓ So yes, we have the foundation nonprofit. The corporation is for profit. We have an OpenSSL project, which is ⁓ to surprise even more, it’s not just an OpenSSL library in the project right now. We also have two more projects ⁓ who are…

joined the OpenSSL mission. It is a bouncy castle and a cryptlib. So we have more of us. yeah, and so we have the corporations, the foundations, the projects, we have the community, we have the conference, we have plenty. And we have an OpenSSL mission. So you’re welcome to check the opensslmission.org. We have plenty of websites.

Josh Bressers (14:47) That does not

sound simple, Anton, but I’ll take your word for it. So I don’t know what Cryptlib is. I know Bouncy Castle is a Java cryptography library, but what is Cryptlib I’m not familiar with that.

Anton Arapov (14:55) Cryptlib is similar to OpenSSL. It is a cryptography toolkit you can use, but it is much smaller. You can use it in an embedded world, so for small footprint devices.

Josh Bressers (15:07) Okay, I gotcha. That makes sense. Because OpenSSL is quite a large library and it does a ridiculous amount. I will never forget trying to read the OpenSSL man pages way back in the day and just being astounded by the features it had.

Anton Arapov (15:25) We used to have in the past like ⁓ four developers on average taking care of a library. Sometimes there were like two developers, you can imagine like for the project of this size to have just two people or four people taking care of it. It’s really, I mean, it’s impossible and amazing on the same side. nowadays we have 20 people on the corporation side and we have six people on the foundation side. They have…

four developers and we have 15 developers, something like that. I’m sorry, I don’t have the exact number ⁓ in a head, but yeah, we’re much, much better.

Hana Andersen (16:03) You have nine

software engineers here.

Anton Arapov (16:07) We’re much better positioned right now ⁓ to support our clients, to do the further development of the library. And you may notice the post-quantum areas, you also mentioned earlier. So just a half a year ago, we were kind of lagging behind the other projects on the post-quantum implementations. I think, I’m actually pretty sure that we are ahead of everything else right now.

Josh Bressers (16:33) Wow, that’s super cool. I didn’t realize, I won’t lie, like post quantum is one of those things I hope I can ignore long enough that smart people will fix it for me. So it’s looking like that’s gonna work. so, okay, so this is really cool actually, Anton, is I didn’t realize how big the OpenSSL like, I guess empire had become because I mean, I remember I was around when Heartbleed happened.

Anton Arapov (16:54) It’s small.

Josh Bressers (16:58) And everyone was horrified to find out there was basically like nobody in charge and there was no full-time effort or anything. And here this is like the library running secure communications on the internet. And so that is an amazing arc, right? Going from almost nobody to the structure you described. And now I assume this was hard work. Yes.

Anton Arapov (17:23) It was an incredibly hard work, especially over the last three years. It was ⁓ plenty of changes, organizational changes, way we do the development. ⁓ It was onboarding new people, new for us developers, with development backgrounds. We’ve got a marketing communication, we’ve got an operations person. For me, it was new, how to manage these people.

What should we do? And yeah, so we change a lot. We learned a lot. We did our mistakes. We still keep on doing mistakes. ⁓ But it is a fantastic journey. it’s especially ⁓ nice to see these changes and actually how it changes. we all, like every single person in OpenSSL right now, busy with the conference because we do want it to be a success. It is the first conference.

So yes, and ⁓ I think once we behind the conference, I cannot imagine how will I feel without the stress. I actually cannot answer how will I live after that.

Josh Bressers (18:35) You just start planning for next year. It’s fine. It never goes away.

Anton Arapov (18:37) Yeah.

Hana Andersen (18:38) Yeah,

I think so. There are more events piling up, so I don’t think, you know…

Josh Bressers (18:42) Exactly.

All right, Hana, I want to ask before we kind of land this plane is you are the communications director for a company that is giving stuff away. Like the joke we always had at Red Hat was I sell free software, right? And I feel like this is tell us what that’s like, right? What is it like trying to work with companies and convince the public for something they can get for free, right?

Hana Andersen (19:00) Mm.

Well, I would say I’m not the one who kind of tried to sell it because that’s not our job or my job. I have to tell the story. Yeah. And actually I would say that was pretty positive surprise when we, for the first time, were attending ICMC last year and they were people like passing our booth like, okay, you are real. There are people behind the OpenSSL.

Josh Bressers (19:22) Sure, but you have to tell the story, right?

Hana Andersen (19:42) You know, they almost like wanted to touch you that you are really real. So, and that, that was the positive surprise. So, ⁓ I think what is, what is the most important is that we are, we try to communicate. We are really like open. think what, what is, what is happening in the communities, which Anton described is great because without our communities, we, we wouldn’t be able to have the library. Their input is so valuable. And that’s why we also like.

If you look at the registration packages at the conference back to the conference again, again, it is built up according to our communities, you know, even though it’s so difficult, we have 16 various prices, but this is the heart of everything. So I would say it’s not as difficult to communicate something like that because everyone in that industry knows the OpenSSL, the library.

So this is, as I say, it’s a roller coaster ride and it’s really exciting. And we are doing a lot of things for the first time. We learn a lot of things on the way. ⁓ Yeah, we make mistakes, but if you don’t do anything, if you are sitting still, then you don’t make mistakes, right? So that’s the part of the development. So, and I think, ⁓ yeah, I don’t think it’s so difficult.

Anton Arapov (21:11) And the security field is complex. It’s not easy to, even if you know, know that it’s not ⁓ always a straightforward and easy to do. You have your questions and knowing people you can rely on and ask a question is fantastic. It was an interesting, ⁓ like also change to the OpenSSL, ⁓ the corporation foundation as well. We trying to change. ⁓

Hana Andersen (21:14) Hmm.

Anton Arapov (21:37) the thing that people just think that OpenSSL is ⁓ open source project on a GitHub, but we want people to know that there is a company behind it, there is a real people. And on multiple, multiple occasions, when we were talking to people at the conferences, they were like, wow, OpenSSL is not just a GitHub thing. So there are some people, there is a company, it was interesting.

And one thing I want to add about the OpenSL communities, which is also a really, really new thing for us, I think it is the newest before the conference. We were looking for a way we can communicate with our users and developers. Even more important to have a feedback from ⁓ the people we never had a chance to hear from because on a GitHub, you mostly have a developer’s community. ⁓

Among our clients, like the commercial clients, you have also a very specific group of people ⁓ who are taking care of something which is very important for the enterprises, but they have absolutely different use cases to the, ⁓ like a regular developer who is a volunteer on a GitHub doing some work on OpenSSL. And by creating OpenSSL communities and identifying the…

different group of people and we have an academics community there. We have individuals group here. We have committers. Committers are people who have the rights to commit to the code and they do ⁓ the hard lifting of the code like the OpenSSL library development. We also have a large and small businesses community and it’s amazing to see how it works because ⁓ the different parts of the different communities, they have different dynamics.

And first of all, it ⁓ was the first time in our lives when we were seeing people different from developers who actually give us some feedback on the library, which we never had before. And it was fantastic. So that’s one thing we resolved. Another thing is that ⁓ OpenSSL is an old project. It’s like 26 years old by now. And we ⁓ used to be famous.

by some of our decisions, engineering decisions, about certain implementation or certain things about our future. So we left, I think if we will count the people who who loves OpenSSL and who hates OpenSSL, it would be roughly like 50-50. And to explain some people who didn’t understand why we did a certain decision in a certain way.

Sometimes it’s impossible just because the context is huge, just because we cannot share something, just because we lost something. And OpenSSL communities is a place where we, which is meant to be a place where these decisions are happening. So once we are facing a decision that changes an OpenSSL in certain way, we would like to have a feedback from the communities. We would like to have a poll and a decision.

made on an OpenSSL communities website so that we can get back to this decision, we can see why it was made, how it was made, and etc. So in a sense, OpenSSL communities is a place where people can influence the future of OpenSSL. So if you want something from the library, you should come to the OpenSSL communities and you should be vocal there. And as a good example, also I’m thinking as a huge success,

for the large businesses communities. There is happening something I never saw in the past. So we have a member who is representative of a large businesses community and he holds a meeting once a month with a large businesses community. And there are people on a call from Amazon, there are people from NetApp, from Cisco and other like huge companies. And you don’t see often engineers.

from such huge companies sitting at one call and talking about the security problems they’re facing and also discussing what OpenSSL can help with, for example. So it’s amazing. And I welcome everyone to join this community and actually join the call.

Josh Bressers (26:08) Wow, that’s, I had no idea that was a thing. I just looked it up while you were talking and yeah, I see you’ve got what? Academics, committers, distributions, which is Linux distributions. Well, I guess it’s probably more than that now. mean, back in my day, you know, individuals, large businesses, small businesses, like that is, that’s so cool. And I love that, right? That is the open source way. And I feel like this is a good start to building a community.

Anton Arapov (26:19) It’s more than that.

Josh Bressers (26:36) Because one of my favorites, mean, Anton, you and I have been in this game for a long time and you know the old, ⁓ patches welcome, which is just a way of being like, F off, we don’t want you here, you know, but, cause open source is hard to, a project like OpenSSL that is legendary and old is, don’t even know, if someone said, how could I break into working on OpenSSL? I don’t even know where I’d start. Just cause it, now you have an answer, but wow, wow, this is so cool.

Anton Arapov (27:04) Yeah, we have a number of entry points and we actually have an entirely different show talking about the way we trying to tackle communities in OpenSSL. Yeah.

Josh Bressers (27:16) That’s super cool. mean, we’ll have to have probably, have you come back sometime to talk about just this because I feel like this feels like a good step in the right direction for just open source projects in general, because I think it is hard to get started and know how to contribute and even knowing what a project wants or needs or projects knowing what their users want or need. Cause man, I mean.

Anton Arapov (27:29) Thank you.

One of the feedbacks we got just last week ⁓ from a person who is involved in OpenSSL communities in a way that he’s like active ⁓ and he got, ⁓ my God, guys. I’m like at my work, I’m working with a plenty of OpenSSL projects and you did something which is like makes it totally different. The communication with you is easy. I know what is happening.

I know who to talk to, how to influence you, and etc. In general, we’re getting this like good feedbacks, but this one was particularly outstanding.

Josh Bressers (28:19) I love it. I love it so much. All right, Hana, land this plane for us. Anyone interested in learning more about the OpenSSL conference coming up? What should they do? How can they get involved? What’s next?

Hana Andersen (28:31) They should come to our conference webpage, which is openssl-conference.org or yes, yes, or they can just contact us, you know, whoever from the team or me, which is ⁓ hana ⁓ at openssl.org.

Josh Bressers (28:39) And I’ll put a link in the show notes for anyone looking for links to stuff.

Awesome. All right. I mean, I guess at this point, I wish you both luck. I know how much effort this is and luck is all you have left at this point. So it’s exciting though. It’s so much fun though. And here’s the thing. Here’s the thing I love about conferences is it almost doesn’t even matter what things are gonna go wrong, but people are gonna have a blast and you’re gonna meet awesome folks and.

Hana Andersen (28:57) Thank you.

Yes, thank you. Thank you.

Josh Bressers (29:16) And if you’re at the conference, you know, obviously say hi to Hana and Anton. Hana will be the person running around like crazy, I’m sure. But, ⁓ this is so cool. I am ecstatic to see how this all turns out. So yes, until next time. Thank you so much.

Hana Andersen (29:32) Thank you, Josh.

Anton Arapov (29:32) Thank you.