Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Heartbleed Test @ OWASP / NYU Poly

Filippo Valsorda
June 24, 2014
Programming
0
13k

The Heartbleed Test @ OWASP / NYU Poly

The story behind the https://filippo.io/Heartbleed test, how it worked and how it scaled from zero to performing 200 millions tests the first two weeks.

Talk given at the NYC OWASP meeting @ NYU Poly on Tue, June 24th 2014.

Recording: https://vimeo.com/99428593

Filippo Valsorda

June 24, 2014
Tweet

More Decks by Filippo Valsorda

See All by Filippo Valsorda
Asynchronous networking @ GopherCon 2018
filosottile
3
1.9k
Le note cifrate di Antonio Marzi
filosottile
1
350
Why cgo is slow @ CapitalGo 2018
filosottile
2
4.3k
Squeezing a key through a carry bit @ 34c3
filosottile
0
1.5k
Calling Rust from Go, without cgo @ GothamGo 2017
filosottile
1
2.5k
You, latency and profiling @ GolangUK 2017
filosottile
0
1.1k
Encrypting the Internet with Go @ GopherCon 2017
filosottile
9
2.6k
You, latency and profiling @ GopherCon India 2017
filosottile
13
3.9k
TLS 1.3 @ 33c3
filosottile
4
6.7k

Other Decks in Programming

See All in Programming
Generative AI Use Cases JP (略称:GenU)奮闘記
hideg
1
290
Remix on Hono on Cloudflare Workers
yusukebe
1
290
C++でシェーダを書く
fadis
6
4.1k
【Kaigi on Rails 2024】YOUTRUST スポンサーLT
krpk1900
1
330
よくできたテンプレート言語として TypeScript + JSX を利用する試み / Using TypeScript + JSX outside of Web Frontend #TSKaigiKansai
izumin5210
6
1.7k
Click-free releases & the making of a CLI app
oheyadam
2
110
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
610
Better Code Design in PHP
afilina
PRO
0
120
TypeScriptでライブラリとの依存を限定的にする方法
tutinoko
2
660
subpath importsで始めるモック生活
10tera
0
300
受け取る人から提供する人になるということ
little_rubyist
0
230
見せてあげますよ、「本物のLaravel批判」ってやつを。
77web
7
7.7k

Featured

See All Featured
A better future with KSS
kneath
238
17k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
What's new in Ruby 2.0
geeforr
343
31k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
Six Lessons from altMBA
skipperchong
27
3.5k
Building Your Own Lightsaber
phodgson
103
6.1k
Thoughts on Productivity
jonyablonski
67
4.3k
Into the Great Unknown - MozCon
thekraken
32
1.5k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
Designing the Hi-DPI Web
ddemaree
280
34k

Transcript

  1. The Heartbleed test Filippo Valsorda

  2. Filippo Valsorda @FiloSottile [hi@|www.]filippo.io

  3. None

  4. What  is   Heartbleed  

  5. Let’s  be  serious,   you  all  know  that!  

  6. When  I  found  out   first  thing  was   looking

     at  the  commit   (        )  
  7. None

  8. OK,  so  it’s  the  length.   But  it’s  still  not

     clear.   Let’s  check  the  RFC.  
  9. None

  10. JACKPOT.   (why!?)  

  11. The  first  version.   (A  small  wrapper  and  a  patch

     to  crypto/tls)       •  A  Go  tool  

  12. 66 LoC

  13. 12 LoC

  14. The  first  version.   (Calling  the  tool  for  each  request)

          •  A  Go  tool   •  A  Python  HTTP  API  

  15. 26 LoC

  16. The  first  version.   •  A  Go  tool   • 

    A  Python  HTTP  API   •  A  GH  Pages  site   (Static,  simple)      
  17. None

  18. And  suddenly…  

  19. The  traffic!  

  20. 2014-04-08T11:00:00Z (requests/min)

  21. 2014-04-09T00:00:00Z

  22. 2014-04-09T11:00:00Z

  23. 2014-04-10T00:00:00Z

  24. 2014-04-11T00:00:00Z

  25. 2014-04-17T00:00:00Z

  26. 2014-04-21T00:00:00Z

  27. And on, and on…

  28. 203,190,914  tests   Total:   in  the  first  14  days

     

  29. The  site  evolved,  so   quickly  that  it  was  

    hard  keeping  up!  

  30. Initially  it  was  a  tool   for  industry  people  

  31. Then  the  new  users:   First  from  the  media  

  32. And  finally,   The  extensions!  

  33. The  final  setup   Website:   Static,  hosted  on  

    GitHub  Pages  

  34. The  final  setup   Backend:   Amazon  AWS,   EC2

     behind  a  ELB   (40  of  them!)  

  35. The  final  setup   Servers:   Pure  Go  concurrent  

    web/test  servers  

  36. The  final  setup   SSL  (later):   CloudFlare  

  37. The  final  setup   Cache  (way  later):   1hr  on

     Amazon   NoSQL  (DynamoDB)  

  38. The  bug  :(  

  39. The  bug  :(  

  40. Logging  

  41. Logging   Only  logged  results   No  ads   No

     analytics  

  42. %  of  vulnerable  results  

  43. %  of  vulnerable  hosts  

  44. The  feedback  

  45. Help  with  the  code  

  46. Credits  for  AWS  

  47. Donations  

  48. Reddit  AMA  

  49. And…  well,  people  

  50. And…  well,  people  

  51. Q?  A!   @FiloSottile   [hi@|www.]filippo.io