Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Heartbleed test adventure @ Hack.lu 2014

Filippo Valsorda
October 21, 2014
Programming
0
140

The Heartbleed test adventure @ Hack.lu 2014

Filippo Valsorda

October 21, 2014
Tweet

More Decks by Filippo Valsorda

See All by Filippo Valsorda
Asynchronous networking @ GopherCon 2018
filosottile
3
1.8k
Le note cifrate di Antonio Marzi
filosottile
1
290
Why cgo is slow @ CapitalGo 2018
filosottile
2
4k
Squeezing a key through a carry bit @ 34c3
filosottile
0
1.4k
Calling Rust from Go, without cgo @ GothamGo 2017
filosottile
1
2.3k
You, latency and profiling @ GolangUK 2017
filosottile
0
970
Encrypting the Internet with Go @ GopherCon 2017
filosottile
9
2.5k
You, latency and profiling @ GopherCon India 2017
filosottile
13
3.6k
TLS 1.3 @ 33c3
filosottile
4
6.4k

Other Decks in Programming

See All in Programming
Node.js v22 で変わること
yosuke_furukawa
PRO
9
3.4k
0→1と1→10の狭間で Javaという技術選定を振り返る/Reflecting on the Decision to Choose Java Between Scaling from 0 to 1 and 1 to 10
jaguar_imo
2
380
Goのエラースタックトレースの歴史と今後
sonatard
8
1.3k
Let's learn code review
riofujimon
1
270
Kotlin Multiplatform at Stable and Beyond (Android Makers 2024)
zsmb
0
210
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
370
Snowflakeで眠ったデータを起こそう!
estie
0
120
新宿ダンジョンを可視化してみた
satoshi7190
2
250
MicrosoftのPlatform Engineeringガイドを読んで実際になにかやってみた
ymd65536
1
330
Komplexe Oberflächen mit SVG und der Web Animation API
joergneumann
0
670
GraphQLサーバの構成要素を整理する #ハッカー鮨 #tsukijigraphql / graphql server technology selection
izumin5210
4
840
dbtのドメイン分割による データ基盤の改善とDigdagとの連携
sakama
0
310

Featured

See All Featured
Fashionably flexible responsive web design (full day workshop)
malarkey
398
65k
Statistics for Hackers
jakevdp
789
220k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
357
22k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
20
1.9k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
17
1.4k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
6
1.5k
Build your cross-platform service in a week with App Engine
jlugia
225
17k
Practical Orchestrator
shlominoach
182
9.7k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
241
1.2M
Web development in the modern age
philhawksworth
202
10k

Transcript

  1. The  Heartbleed  test   adventure Filippo  Valsorda

  2. Filippo  Valsorda CloudFlare  security  team   @FiloSottile   I  mess

     with  cryptography.   And  open  source.   ! {  https://  |  hi@  }  filippo.io
  3. None

  4. What  is   Heartbleed

  5. Let’s  be  serious,   you  all  know  that!

  6. When  I  found  out   first  thing  was  looking  

    at  the  commit (        )
  7. None

  8. OK,  so  it’s  the  length.   But  it’s  still  not

     clear.   Let’s  check  the  RFC.
  9. None

  10. JACKPOT.   (why!?)

  11. The  first  version. (A  small  wrapper  and  a  patch  to

     crypto/tls)     • A  Go  tool

  12. 66 LoC

  13. 12 LoC

  14. The  first  version. (Calling  the  tool  for  each  request)  

      • A  Go  tool   • A  Python  HTTP  API

  15. 26 LoC

  16. The  first  version. • A  Go  tool   • A

     Python  HTTP  API   • A  GH  Pages  site (Static,  simple)    
  17. None

  18. And  suddenly…

  19. The  traffic!

  20. 2014-04-08T11:00:00Z (requests/min)

  21. 2014-04-09T00:00:00Z

  22. 2014-04-09T11:00:00Z

  23. 2014-04-10T00:00:00Z

  24. 2014-04-11T00:00:00Z

  25. 2014-04-17T00:00:00Z

  26. 2014-04-21T00:00:00Z

  27. And on, and on…

  28. 203,190,914  tests Total: in  the  first  14  days

  29. The  site  evolved,  so   quickly  that  it  was  

    hard  keeping  up!

  30. Initially  it  was  a  tool   for  industry  people

  31. Then  the  new  users:   First  from  the  media

  32. And  finally,   The  extensions!

  33. The  final  setup Website:   Static,  hosted  on   GitHub

     Pages

  34. The  final  setup Backend:   Amazon  AWS,   EC2  behind

     a  ELB   (40  of  them!)

  35. The  final  setup Servers:   Pure  Go  concurrent   web/test

     servers

  36. The  final  setup SSL  (later):   CloudFlare

  37. The  final  setup Cache  (way  later):   1hr  on  Amazon

      NoSQL  (DynamoDB)

  38. The  bug  :(

  39. The  bug  :(

  40. Logging

  41. Logging Only  logged  results No  ads No  analytics

  42. %  of  vulnerable  results

  43. %  of  vulnerable  hosts

  44. The  feedback

  45. Help  with  the  code  

  46. Credits  for  AWS

  47. Donations

  48. Reddit  AMA

  49. And…  well,  people

  50. And…  well,  people

  51. Q?  A! @FiloSottile   {  https://  |  hi@  }  filippo.io