Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Heartbleed test adventure @ Hack.lu 2014
Search
Filippo Valsorda
October 21, 2014
Programming
0
140
The Heartbleed test adventure @ Hack.lu 2014
Filippo Valsorda
October 21, 2014
Tweet
Share
More Decks by Filippo Valsorda
See All by Filippo Valsorda
Asynchronous networking @ GopherCon 2018
filosottile
3
2k
Le note cifrate di Antonio Marzi
filosottile
1
370
Why cgo is slow @ CapitalGo 2018
filosottile
2
4.4k
Squeezing a key through a carry bit @ 34c3
filosottile
0
1.6k
Calling Rust from Go, without cgo @ GothamGo 2017
filosottile
1
2.6k
You, latency and profiling @ GolangUK 2017
filosottile
0
1.1k
Encrypting the Internet with Go @ GopherCon 2017
filosottile
9
2.6k
You, latency and profiling @ GopherCon India 2017
filosottile
13
4k
TLS 1.3 @ 33c3
filosottile
4
6.8k
Other Decks in Programming
See All in Programming
JAWS Days 2025のインフラ
komakichi
1
130
Webフレームワークとともに利用するWeb components / JSConf.jp おかわり
spring_raining
1
130
新宿駅構内を三人称視点で探索してみる
satoshi7190
2
120
ABEMA iOS 大規模プロジェクトにおける段階的な技術刷新 / ABEMA iOS Technology Upgrade
akkyie
1
230
PEPCは何を変えようとしていたのか
ken7253
3
300
Ça bouge du côté des animations CSS !
goetter
2
160
推しメソッドsource_locationのしくみを探る - はじめてRubyのコードを読んでみた
nobu09
2
350
Django NinjaによるAPI開発の効率化とリプレースの実践
kashewnuts
1
290
苦しいTiDBへの移行を乗り越えて快適な運用を目指す
leveragestech
0
1.2k
コミュニティ駆動 AWS CDK ライブラリ「Open Constructs Library」 / community-cdk-library
gotok365
2
250
ソフトウェアエンジニアの成長
masuda220
PRO
12
2.2k
[JAWS DAYS 2025] 最近の DB の競合解決の仕組みが分かった気になってみた
maroon1st
0
160
Featured
See All Featured
Music & Morning Musume
bryan
46
6.4k
Building an army of robots
kneath
303
45k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
4
380
Making Projects Easy
brettharned
116
6k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
40
2k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
33
2.8k
Visualization
eitanlees
146
15k
GraphQLの誤解/rethinking-graphql
sonatard
69
10k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
115
51k
A designer walks into a library…
pauljervisheath
205
24k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.2k
Build The Right Thing And Hit Your Dates
maggiecrowley
34
2.5k
Transcript
The Heartbleed test adventure Filippo Valsorda
Filippo Valsorda CloudFlare security team @FiloSottile I mess
with cryptography. And open source. ! { https:// | hi@ } filippo.io
None
What is Heartbleed
Let’s be serious, you all know that!
When I found out first thing was looking
at the commit ( )
None
OK, so it’s the length. But it’s still not
clear. Let’s check the RFC.
None
JACKPOT. (why!?)
The first version. (A small wrapper and a patch to
crypto/tls) • A Go tool
66 LoC
12 LoC
The first version. (Calling the tool for each request)
• A Go tool • A Python HTTP API
26 LoC
The first version. • A Go tool • A
Python HTTP API • A GH Pages site (Static, simple)
None
And suddenly…
The traffic!
2014-04-08T11:00:00Z (requests/min)
2014-04-09T00:00:00Z
2014-04-09T11:00:00Z
2014-04-10T00:00:00Z
2014-04-11T00:00:00Z
2014-04-17T00:00:00Z
2014-04-21T00:00:00Z
And on, and on…
203,190,914 tests Total: in the first 14 days
The site evolved, so quickly that it was
hard keeping up!
Initially it was a tool for industry people
Then the new users: First from the media
And finally, The extensions!
The final setup Website: Static, hosted on GitHub
Pages
The final setup Backend: Amazon AWS, EC2 behind
a ELB (40 of them!)
The final setup Servers: Pure Go concurrent web/test
servers
The final setup SSL (later): CloudFlare
The final setup Cache (way later): 1hr on Amazon
NoSQL (DynamoDB)
The bug :(
The bug :(
Logging
Logging Only logged results No ads No analytics
% of vulnerable results
% of vulnerable hosts
The feedback
Help with the code
Credits for AWS
Donations
Reddit AMA
And… well, people
And… well, people
Q? A! @FiloSottile { https:// | hi@ } filippo.io