Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Heartbleed Test @ OWASP / NYU Poly

Filippo Valsorda
June 24, 2014
Programming
0
13k

The Heartbleed Test @ OWASP / NYU Poly

The story behind the https://filippo.io/Heartbleed test, how it worked and how it scaled from zero to performing 200 millions tests the first two weeks.

Talk given at the NYC OWASP meeting @ NYU Poly on Tue, June 24th 2014.

Recording: https://vimeo.com/99428593

Filippo Valsorda

June 24, 2014
Tweet

More Decks by Filippo Valsorda

See All by Filippo Valsorda
Asynchronous networking @ GopherCon 2018
filosottile
3
1.8k
Le note cifrate di Antonio Marzi
filosottile
1
290
Why cgo is slow @ CapitalGo 2018
filosottile
2
4k
Squeezing a key through a carry bit @ 34c3
filosottile
0
1.4k
Calling Rust from Go, without cgo @ GothamGo 2017
filosottile
1
2.3k
You, latency and profiling @ GolangUK 2017
filosottile
0
970
Encrypting the Internet with Go @ GopherCon 2017
filosottile
9
2.5k
You, latency and profiling @ GopherCon India 2017
filosottile
13
3.6k
TLS 1.3 @ 33c3
filosottile
4
6.4k

Other Decks in Programming

See All in Programming
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
190
Git Lint
bkuhlmann
4
750
SIMD Parallel Programming with the Vector API
josepaumard
0
170
ゆるい個人開発のススメ
kuroppe1819
10
990
Apache Hive 4 on Treasure Data
ryukobayashi
0
310
Netty Chicago Java User Group 2024-04-17
sullis
0
170
educure_カリキュラム生操作マニュアル.pdf
linew_official
0
790
Ruby Function Composition
bkuhlmann
1
330
PHPはいつから死んでいるかの調査
chiroruxx
1
400
Changed Rules: Architectures with Lightweight Stores
manfredsteyer
PRO
0
240
PHP8.3の機能を振り返る / Review of PHP 8.3 features
seike460
PRO
1
110
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
43
19k

Featured

See All Featured
How to train your dragon (web standard)
notwaldorf
73
5.2k
The Cult of Friendly URLs
andyhume
74
5.7k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
KATA
mclloyd
15
12k
Practical Orchestrator
shlominoach
182
9.7k
Building a Scalable Design System with Sketch
lauravandoore
456
32k
Being A Developer After 40
akosma
57
580k
How to Ace a Technical Interview
jacobian
272
22k
Teambox: Starting and Learning
jrom
128
8.4k
YesSQL, Process and Tooling at Scale
rocio
164
13k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
14
1.5k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k

Transcript

  1. The Heartbleed test Filippo Valsorda

  2. Filippo Valsorda @FiloSottile [hi@|www.]filippo.io

  3. None

  4. What  is   Heartbleed  

  5. Let’s  be  serious,   you  all  know  that!  

  6. When  I  found  out   first  thing  was   looking

     at  the  commit   (        )  
  7. None

  8. OK,  so  it’s  the  length.   But  it’s  still  not

     clear.   Let’s  check  the  RFC.  
  9. None

  10. JACKPOT.   (why!?)  

  11. The  first  version.   (A  small  wrapper  and  a  patch

     to  crypto/tls)       •  A  Go  tool  

  12. 66 LoC

  13. 12 LoC

  14. The  first  version.   (Calling  the  tool  for  each  request)

          •  A  Go  tool   •  A  Python  HTTP  API  

  15. 26 LoC

  16. The  first  version.   •  A  Go  tool   • 

    A  Python  HTTP  API   •  A  GH  Pages  site   (Static,  simple)      
  17. None

  18. And  suddenly…  

  19. The  traffic!  

  20. 2014-04-08T11:00:00Z (requests/min)

  21. 2014-04-09T00:00:00Z

  22. 2014-04-09T11:00:00Z

  23. 2014-04-10T00:00:00Z

  24. 2014-04-11T00:00:00Z

  25. 2014-04-17T00:00:00Z

  26. 2014-04-21T00:00:00Z

  27. And on, and on…

  28. 203,190,914  tests   Total:   in  the  first  14  days

     

  29. The  site  evolved,  so   quickly  that  it  was  

    hard  keeping  up!  

  30. Initially  it  was  a  tool   for  industry  people  

  31. Then  the  new  users:   First  from  the  media  

  32. And  finally,   The  extensions!  

  33. The  final  setup   Website:   Static,  hosted  on  

    GitHub  Pages  

  34. The  final  setup   Backend:   Amazon  AWS,   EC2

     behind  a  ELB   (40  of  them!)  

  35. The  final  setup   Servers:   Pure  Go  concurrent  

    web/test  servers  

  36. The  final  setup   SSL  (later):   CloudFlare  

  37. The  final  setup   Cache  (way  later):   1hr  on

     Amazon   NoSQL  (DynamoDB)  

  38. The  bug  :(  

  39. The  bug  :(  

  40. Logging  

  41. Logging   Only  logged  results   No  ads   No

     analytics  

  42. %  of  vulnerable  results  

  43. %  of  vulnerable  hosts  

  44. The  feedback  

  45. Help  with  the  code  

  46. Credits  for  AWS  

  47. Donations  

  48. Reddit  AMA  

  49. And…  well,  people  

  50. And…  well,  people  

  51. Q?  A!   @FiloSottile   [hi@|www.]filippo.io