Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Heartbleed test adventure @ Hack.lu 2014

Avatar for Filippo Valsorda Filippo Valsorda
October 21, 2014
Programming
0
150

The Heartbleed test adventure @ Hack.lu 2014

Avatar for Filippo Valsorda

Filippo Valsorda

October 21, 2014
Tweet

More Decks by Filippo Valsorda

See All by Filippo Valsorda
Asynchronous networking @ GopherCon 2018
Avatar for Filippo Valsorda filosottile
3
2.1k
Le note cifrate di Antonio Marzi
Avatar for Filippo Valsorda filosottile
1
400
Why cgo is slow @ CapitalGo 2018
Avatar for Filippo Valsorda filosottile
2
4.6k
Squeezing a key through a carry bit @ 34c3
Avatar for Filippo Valsorda filosottile
0
1.7k
Calling Rust from Go, without cgo @ GothamGo 2017
Avatar for Filippo Valsorda filosottile
1
2.7k
You, latency and profiling @ GolangUK 2017
Avatar for Filippo Valsorda filosottile
0
1.2k
Encrypting the Internet with Go @ GopherCon 2017
Avatar for Filippo Valsorda filosottile
9
2.6k
You, latency and profiling @ GopherCon India 2017
Avatar for Filippo Valsorda filosottile
13
4k
TLS 1.3 @ 33c3
Avatar for Filippo Valsorda filosottile
4
6.9k

Other Decks in Programming

See All in Programming
React 使いじゃなくても知っておきたい教養としての React
Avatar for Yuka O’oka oukayuka
18
5.7k
Comparing decimals in Swift Testing
Avatar for 417.72KI 417_72ki
0
170
Google I/O Extended Incheon 2025 ~ What's new in Android development tools
Avatar for pluulove (노현석) pluu
1
270
物語を動かす行動"量" #エンジニアニメ
Avatar for konifar konifar
14
5k
エンジニアのための”最低限いい感じ”デザイン入門
Avatar for しゅん🌙 shunshobon
0
110
新世界の理解
Avatar for Akihito Koriyama koriym
0
130
kiroでゲームを作ってみた
Avatar for 入井 啓太 iriikeita
0
160
20250808_AIAgent勉強会_ClaudeCodeデータ分析の実運用〜競馬を題材に回収率100%の先を目指すメソッドとは〜
Avatar for Kakeru Sato kkakeru
0
170
CEDEC 2025 『ゲームにおけるリアルタイム通信への QUIC導入事例の紹介』
Avatar for SEGADevTech segadevtech
3
870
Webinar: AI-Powered Development: Transformiere deinen Workflow mit Coding Tools und MCP Servern
Avatar for Daniel Sogl danielsogl
0
130
Flutter로 Gemini와 MCP를 활용한 Agentic App 만들기 - 박제창 2025 I/O Extended Seoul
Avatar for JaiChangPark itsmedreamwalker
0
140
管你要 trace 什麼、bpftrace 用下去就對了 — COSCUP 2025
Avatar for shunghsiyu shunghsiyu
0
410

Featured

See All Featured
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
173
14k
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
234
17k
VelocityConf: Rendering Performance Case Studies
Avatar for Addy Osmani addyosmani
332
24k
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
44
2.4k
Embracing the Ebb and Flow
Avatar for Simon Collison colly
86
4.8k
Intergalactic Javascript Robots from Outer Space
Avatar for Vicent Martí tanoku
272
27k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
229
22k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
50
5.5k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
333
22k
Designing for humans not robots
Avatar for Tammie Lister tammielis
253
25k
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
30
9.6k
GraphQLとの向き合い方2022年版
Avatar for Yosuke Kurami quramy
49
14k

Transcript

  1. The  Heartbleed  test   adventure Filippo  Valsorda

  2. Filippo  Valsorda CloudFlare  security  team   @FiloSottile   I  mess

     with  cryptography.   And  open  source.   ! {  https://  |  hi@  }  filippo.io
  3. None

  4. What  is   Heartbleed

  5. Let’s  be  serious,   you  all  know  that!

  6. When  I  found  out   first  thing  was  looking  

    at  the  commit (        )
  7. None

  8. OK,  so  it’s  the  length.   But  it’s  still  not

     clear.   Let’s  check  the  RFC.
  9. None

  10. JACKPOT.   (why!?)

  11. The  first  version. (A  small  wrapper  and  a  patch  to

     crypto/tls)     • A  Go  tool

  12. 66 LoC

  13. 12 LoC

  14. The  first  version. (Calling  the  tool  for  each  request)  

      • A  Go  tool   • A  Python  HTTP  API

  15. 26 LoC

  16. The  first  version. • A  Go  tool   • A

     Python  HTTP  API   • A  GH  Pages  site (Static,  simple)    
  17. None

  18. And  suddenly…

  19. The  traffic!

  20. 2014-04-08T11:00:00Z (requests/min)

  21. 2014-04-09T00:00:00Z

  22. 2014-04-09T11:00:00Z

  23. 2014-04-10T00:00:00Z

  24. 2014-04-11T00:00:00Z

  25. 2014-04-17T00:00:00Z

  26. 2014-04-21T00:00:00Z

  27. And on, and on…

  28. 203,190,914  tests Total: in  the  first  14  days

  29. The  site  evolved,  so   quickly  that  it  was  

    hard  keeping  up!

  30. Initially  it  was  a  tool   for  industry  people

  31. Then  the  new  users:   First  from  the  media

  32. And  finally,   The  extensions!

  33. The  final  setup Website:   Static,  hosted  on   GitHub

     Pages

  34. The  final  setup Backend:   Amazon  AWS,   EC2  behind

     a  ELB   (40  of  them!)

  35. The  final  setup Servers:   Pure  Go  concurrent   web/test

     servers

  36. The  final  setup SSL  (later):   CloudFlare

  37. The  final  setup Cache  (way  later):   1hr  on  Amazon

      NoSQL  (DynamoDB)

  38. The  bug  :(

  39. The  bug  :(

  40. Logging

  41. Logging Only  logged  results No  ads No  analytics

  42. %  of  vulnerable  results

  43. %  of  vulnerable  hosts

  44. The  feedback

  45. Help  with  the  code  

  46. Credits  for  AWS

  47. Donations

  48. Reddit  AMA

  49. And…  well,  people

  50. And…  well,  people

  51. Q?  A! @FiloSottile   {  https://  |  hi@  }  filippo.io