Now the CII has selected which protocols will be the first in line to receive the foundation's time and effort. OpenSSL is on the list, as are two other projects with their own histories of issues: OpenSSH and NTP (Network Time Protocol).
First is OpenSSL, which will be receiving funding to support two full-time core developers. A separate initiative -- the Open Crypto Audit Project, best known for its auditing of TrueCrypt's source code -- will receive CII funds to perform its own audit of OpenSSL's code.
Then there's OpenSSH, a widely used utility for making secure command-line connections to servers and appliances that run some manner of Unix-like OS. Administrators rely on it routinely, making it a target for attacks like credential-stealing malware. Word of security issues within OpenSSH itself have turned up over time, some legit and some not. All this means some degree of investment in OpenSSH's protection is worth the effort, since it constitutes protecting a standard point of ingress.
The third project on the roster, NTP, is a dark horse because its security issues remained relatively unexploited until recently. A method known as "NTP reflection" was recently used to launch a DDoS attack on content delivery network CloudFlare, and again, the breadth of use for NTP makes it a prime choice for attackers.
Details about what will happen with OpenSSH and NTP are still sketchy, but according to a Linux Foundation spokesperson, both "will be receiving support for developers as well as infrastructure support."
Another project that seems like a strong fit for CII's efforts is an aging Internet protocol that has been implicated in a number of incidents that could either be attacks or misconfigurations: the border gateway protocol (BGP). Problems with the BGP have surfaced from time to time, most recently in a massive rerouting of Internet traffic through hosts in Belarus and Iceland. At least one existing proposal has been drafted to address BGP security, so perhaps the rising tide of CII's work will help lift that particular boat too.