A tiny and relatively unknown TLS library written in Rust, an up-and-coming programming language, outperformed the industry-standard OpenSSL in almost every major category.

The findings are the result of a recent four-part series of benchmarks [1, 2, 3, 4] carried out by Joseph Birr-Pixton, the developer behind the Rustls library.

Benchmark results

The findings showed that Rustls was 10% faster when setting up and negotiating a new server connection, and between 20 and 40% faster when setting up a client connection.

But while handshake speeds for new TLS connections are important, most TLS traffic relies on resuming previously negotiated handshakes. Here, too, Rustls outperformed the aging OpenSSL, being between 10 and 20% in resuming a connection on the server-side, and being between 30 and 70% quicker to resume a client connection.

Furthermore, Rustls also fared better in sheer bulk performance -- or the speed at which data is transferred over the TLS connection. Birr-Pixton said Rustls could send data 15% faster than OpenSSL, and receive it 5% faster as well.

Last, but not least, the Rustls creator also said his library only used half of the memory required to run OpenSSL, a major advantage.

In the past, OpenSSL has been often criticized for its large memory footprint and the large number of security bugs found in its code. Because Rustls was coded in Rust, the issues with security flaws are largely addressed by the design of the Rust language itself, which was designed from the ground-up to avoid memory-related security bugs.

Based on the results of these benchmarks, Rustls appears to have also addressed the issue of performance, making it an ideal replacement for web services that still rely on the old OpenSSL.

love it, we nuked our OpenSSL usage at @EmbarkStudios and just use Rustls statically linked in and never want to go back — Johan Andersson (@repi) July 3, 2019

Rust adoption growing

Birr-Pixton's Rustls-OpenSSL performance tests come to support a rising notion that Rust, overall, is now generally faster than C++.

The fact that a Rust-based library beat the C and C++-based OpenSSL is not a surprise anymore. After years under development, Rust is now a very mature programming language.

Created by Mozilla, Rust was developed from the ground up to prevent memory management-related bugs, which are usually at the heart of most security flaws in C and C++ applications.

While the Rust project was ridiculed in the beginning, it is now being adopted at a rapid pace, and the decisions behind its safety-first design have proven a success.

Browsers like Firefox and Brave currently rely on Rust components, and large companies like Cloudflare, Dropbox, Yelp, and npm, have also adopted it for production systems.

The Tor Project is also experimenting with Rust, and Facebook's recently launched Libra cryptocurrency will also be using it.

Furthermore, this week, Microsoft also announced plans to explore using Rust as a replacement for C and C++.

Besides big tech, the language is also popular with everyday developers. Rust has come out on top as the most popular programming language in StackOverflow's developer survey for the past five years, in 2016, 2017, 2018, and 2019.

Related cybersecurity coverage: