Students at Rochester Institute of Technology tackle OpenSSL issues to strengthen global encryption and protect internet communications worldwide

Rochester, New York – Students Step Into the Core of Internet Security by Fixing OpenSSL Issues That Protect Global Encryption

In a classroom that feels more like a real-world security lab than a traditional lecture hall, students at the Rochester Institute of Technology are working on something that quietly supports almost everything people do online. From banking to messaging to browsing, encrypted communication depends heavily on OpenSSL, and now students are directly helping keep it stable and secure.

Through a cybersecurity course at Rochester Institute of Technology, students have spent three semesters identifying and fixing issues in OpenSSL, a widely used open-source encryption toolkit. The work is not simulated. Their code is reviewed, tested, and in some cases merged into a system that powers a large portion of the global internet.

OpenSSL itself is not a niche tool. It is a foundational piece of infrastructure used by major technology and financial companies around the world, including Google, Amazon, Microsoft, Cisco, and Meta. It supports encrypted communication for roughly two-thirds of websites and servers globally, making its reliability a matter of global digital safety rather than academic exercise.

For students, the experience comes with a rare sense of scale. One of them, fourth-year cybersecurity major Jose Luis Gonzalez, described how surprising it was to realize how deeply embedded the software is in everyday life.

Read also: Governor Kathy Hochul joins veterans and Gold Star families during Memorial Day ceremony honoring fallen service members in Albany

“OpenSSL is kind of the backbone of the internet and even if you didn’t know about it, you’ve most likely used it to protect data when accessing a website,” said Jose Luis Gonzalez, a fourth-year cybersecurity major, who took the course. “It’s really rewarding and cool to know that I’ve contributed to it.”

The course, titled Open Source Software Security, is led by Professor Billy Brumley, an expert whose work is closely tied to OpenSSL development. Brumley is the Kevin O’Sullivan Endowed Professor in Cybersecurity and also serves on the OpenSSL Business Advisory Committee. His classroom approach is built around real contribution rather than theoretical assignments.

Students search through OpenSSL’s public GitHub repository, where more than 1,000 issues are often open at any given time. Their job is to select a problem, understand it, and then write working code that can fix or improve part of the system. The expectation is not just to learn coding, but to produce something strong enough to survive real-world scrutiny from professional maintainers.

Brumley explained that OpenSSL has long been central to both his research and professional work. He also pointed out that the project represents a critical shift in how cybersecurity education should be approached.

“Early in my career, I enjoyed offensive security and finding vulnerabilities—like many students,” said Brumley. “I thought I could report a problem and someone would just magically fix it. But realistically, knowing how to fix things yourself is equally as important for security professionals.”

That idea forms the backbone of the course. Students are not only taught how to find weaknesses, but also how to repair them properly, test them thoroughly, and ensure they do not reappear in future updates. Many also gain hands-on experience with C programming, a language still widely used in infrastructure systems due to its speed and stability, even though it is often considered older and more difficult than modern alternatives.

Read also: Governor Hochul secures federal USDA disaster declaration to help Long Island aquaculture growers recover from massive winter losses

One of the students’ key tasks involves creating regression tests. These are automated checks that ensure previously discovered problems do not return after future updates. For Gonzalez, that process became one of the most meaningful parts of the experience.

“At first, the idea of working on OpenSSL was daunting,” said Gonzalez, who is completing a Combined accelerated BS/MS degree option in cybersecurity.

His project focused on building a test that could run automatically whenever changes were made to the OpenSSL codebase. The goal was simple but essential: catch errors before they become real-world security risks.

“When you encounter a troublesome issue, it’s important to have a test for it so you know the problem isn’t happening again,” said Gonzalez. “You don’t want new updates to reintroduce the issue.”

The process was far from instant. Over roughly two and a half months, Gonzalez worked through design planning, coding, debugging, and multiple rounds of review with OpenSSL maintainers. He had to correct technical errors, adjust formatting, and refine the structure of his submission to meet strict project standards. Each revision brought him closer to final approval.

Eventually, his work was accepted and integrated into the system. That means his code now runs automatically whenever developers submit updates to OpenSSL.

“Now, every time someone pushes a new change, the test I wrote is going to run,” said Gonzalez. “It’s really rewarding that my contribution is going to persist through.”

This year alone, 20 pull requests from the RIT class were merged into OpenSSL. Across multiple semesters, students from Brumley’s courses have contributed around 60 merged improvements in total. As a gesture of appreciation, OpenSSL even sent branded swag to the class, a small but symbolic acknowledgment of their contributions.

For Gonzalez, the experience has already extended beyond the classroom. He is currently working as a security engineer intern at Amazon in Austin, Texas. He said that his involvement with OpenSSL often becomes a conversation starter in the workplace, especially when colleagues notice his course T-shirt.

Brumley is expected to continue teaching the course in Fall 2026, and he is also exploring the possibility of formal co-op partnerships with OpenSSL Corp. The long-term goal is to create a stronger pipeline between academic learning and direct contributions to critical open-source infrastructure.

In a digital world where encryption quietly protects nearly every online interaction, these students are gaining more than experience. They are helping maintain the very systems that keep the internet secure, one line of code at a time.