Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Heartbleed test adventure @ Hack.lu 2014
Search
Filippo Valsorda
October 21, 2014
Programming
0
140
The Heartbleed test adventure @ Hack.lu 2014
Filippo Valsorda
October 21, 2014
Tweet
Share
More Decks by Filippo Valsorda
See All by Filippo Valsorda
Asynchronous networking @ GopherCon 2018
filosottile
3
2k
Le note cifrate di Antonio Marzi
filosottile
1
360
Why cgo is slow @ CapitalGo 2018
filosottile
2
4.4k
Squeezing a key through a carry bit @ 34c3
filosottile
0
1.6k
Calling Rust from Go, without cgo @ GothamGo 2017
filosottile
1
2.6k
You, latency and profiling @ GolangUK 2017
filosottile
0
1.1k
Encrypting the Internet with Go @ GopherCon 2017
filosottile
9
2.6k
You, latency and profiling @ GopherCon India 2017
filosottile
13
4k
TLS 1.3 @ 33c3
filosottile
4
6.7k
Other Decks in Programming
See All in Programming
1年目の私に伝えたい!テストコードを怖がらなくなるためのヒント/Tips for not being afraid of test code
push_gawa
1
510
楽しく向き合う例外対応
okutsu
0
590
Domain-Driven Transformation
hschwentner
2
1.9k
パスキーのすべて ── 導入・UX設計・実装の紹介 / 20250213 パスキー開発者の集い
kuralab
3
880
密集、ドキュメントのコロケーション with AWS Lambda
satoshi256kbyte
1
210
Djangoアプリケーション 運用のリアル 〜問題発生から可視化、最適化への道〜 #pyconshizu
kashewnuts
1
260
責務と認知負荷を整える! 抽象レベルを意識した関心の分離
yahiru
8
1.3k
PRレビューのお供にDanger
stoticdev
1
230
複数のAWSアカウントから横断で 利用する Lambda Authorizer の作り方
tc3jp
0
110
5分で理解する SOLID 原則 #phpcon_nagoya
shogogg
1
300
CDKを使ったPagerDuty連携インフラのテンプレート化
shibuya_shogo
0
100
機能が複雑化しても 頼りになる FactoryBotの話
tamikof
0
110
Featured
See All Featured
Designing for humans not robots
tammielis
250
25k
[RailsConf 2023] Rails as a piece of cake
palkan
53
5.3k
Docker and Python
trallard
44
3.3k
GitHub's CSS Performance
jonrohan
1030
460k
Practical Orchestrator
shlominoach
186
10k
Bootstrapping a Software Product
garrettdimon
PRO
306
110k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Art, The Web, and Tiny UX
lynnandtonic
298
20k
Automating Front-end Workflow
addyosmani
1368
200k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
30
2.2k
Build The Right Thing And Hit Your Dates
maggiecrowley
34
2.5k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
640
Transcript
The Heartbleed test adventure Filippo Valsorda
Filippo Valsorda CloudFlare security team @FiloSottile I mess
with cryptography. And open source. ! { https:// | hi@ } filippo.io
None
What is Heartbleed
Let’s be serious, you all know that!
When I found out first thing was looking
at the commit ( )
None
OK, so it’s the length. But it’s still not
clear. Let’s check the RFC.
None
JACKPOT. (why!?)
The first version. (A small wrapper and a patch to
crypto/tls) • A Go tool
66 LoC
12 LoC
The first version. (Calling the tool for each request)
• A Go tool • A Python HTTP API
26 LoC
The first version. • A Go tool • A
Python HTTP API • A GH Pages site (Static, simple)
None
And suddenly…
The traffic!
2014-04-08T11:00:00Z (requests/min)
2014-04-09T00:00:00Z
2014-04-09T11:00:00Z
2014-04-10T00:00:00Z
2014-04-11T00:00:00Z
2014-04-17T00:00:00Z
2014-04-21T00:00:00Z
And on, and on…
203,190,914 tests Total: in the first 14 days
The site evolved, so quickly that it was
hard keeping up!
Initially it was a tool for industry people
Then the new users: First from the media
And finally, The extensions!
The final setup Website: Static, hosted on GitHub
Pages
The final setup Backend: Amazon AWS, EC2 behind
a ELB (40 of them!)
The final setup Servers: Pure Go concurrent web/test
servers
The final setup SSL (later): CloudFlare
The final setup Cache (way later): 1hr on Amazon
NoSQL (DynamoDB)
The bug :(
The bug :(
Logging
Logging Only logged results No ads No analytics
% of vulnerable results
% of vulnerable hosts
The feedback
Help with the code
Credits for AWS
Donations
Reddit AMA
And… well, people
And… well, people
Q? A! @FiloSottile { https:// | hi@ } filippo.io