Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Heartbleed test adventure @ Hack.lu 2014
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Filippo Valsorda
October 21, 2014
Programming
0
150
The Heartbleed test adventure @ Hack.lu 2014
Filippo Valsorda
October 21, 2014
Tweet
Share
More Decks by Filippo Valsorda
See All by Filippo Valsorda
Asynchronous networking @ GopherCon 2018
filosottile
3
2.1k
Le note cifrate di Antonio Marzi
filosottile
1
420
Why cgo is slow @ CapitalGo 2018
filosottile
2
4.8k
Squeezing a key through a carry bit @ 34c3
filosottile
0
1.8k
Calling Rust from Go, without cgo @ GothamGo 2017
filosottile
1
2.9k
You, latency and profiling @ GolangUK 2017
filosottile
0
1.2k
Encrypting the Internet with Go @ GopherCon 2017
filosottile
9
2.7k
You, latency and profiling @ GopherCon India 2017
filosottile
13
4.2k
TLS 1.3 @ 33c3
filosottile
4
6.9k
Other Decks in Programming
See All in Programming
React 19でつくる「気持ちいいUI」- 楽観的UIのすすめ
himorishige
11
7.5k
Patterns of Patterns
denyspoltorak
0
1.4k
AI によるインシデント初動調査の自動化を行う AI インシデントコマンダーを作った話
azukiazusa1
1
750
プロダクトオーナーから見たSOC2 _SOC2ゆるミートアップ#2
kekekenta
0
220
AI Schema Enrichment for your Oracle AI Database
thatjeffsmith
0
320
AIによる開発の民主化を支える コンテキスト管理のこれまでとこれから
mulyu
3
450
React Native × React Router v7 API通信の共通化で考えるべきこと
suguruooki
0
100
Oxlint JS plugins
kazupon
1
990
CSC307 Lecture 01
javiergs
PRO
0
690
AWS re:Invent 2025参加 直前 Seattle-Tacoma Airport(SEA)におけるハードウェア紛失インシデントLT
tetutetu214
2
120
今から始めるClaude Code超入門
448jp
8
9k
CSC307 Lecture 07
javiergs
PRO
1
560
Featured
See All Featured
Mind Mapping
helmedeiros
PRO
0
89
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Taking LLMs out of the black box: A practical guide to human-in-the-loop distillation
inesmontani
PRO
3
2k
AI: The stuff that nobody shows you
jnunemaker
PRO
2
270
svc-hook: hooking system calls on ARM64 by binary rewriting
retrage
1
100
Raft: Consensus for Rubyists
vanstee
141
7.3k
What's in a price? How to price your products and services
michaelherold
247
13k
エンジニアに許された特別な時間の終わり
watany
106
230k
Lessons Learnt from Crawling 1000+ Websites
charlesmeaden
PRO
1
1.1k
Typedesign – Prime Four
hannesfritz
42
2.9k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
16k
Transcript
The Heartbleed test adventure Filippo Valsorda
Filippo Valsorda CloudFlare security team @FiloSottile I mess
with cryptography. And open source. ! { https:// | hi@ } filippo.io
None
What is Heartbleed
Let’s be serious, you all know that!
When I found out first thing was looking
at the commit ( )
None
OK, so it’s the length. But it’s still not
clear. Let’s check the RFC.
None
JACKPOT. (why!?)
The first version. (A small wrapper and a patch to
crypto/tls) • A Go tool
66 LoC
12 LoC
The first version. (Calling the tool for each request)
• A Go tool • A Python HTTP API
26 LoC
The first version. • A Go tool • A
Python HTTP API • A GH Pages site (Static, simple)
None
And suddenly…
The traffic!
2014-04-08T11:00:00Z (requests/min)
2014-04-09T00:00:00Z
2014-04-09T11:00:00Z
2014-04-10T00:00:00Z
2014-04-11T00:00:00Z
2014-04-17T00:00:00Z
2014-04-21T00:00:00Z
And on, and on…
203,190,914 tests Total: in the first 14 days
The site evolved, so quickly that it was
hard keeping up!
Initially it was a tool for industry people
Then the new users: First from the media
And finally, The extensions!
The final setup Website: Static, hosted on GitHub
Pages
The final setup Backend: Amazon AWS, EC2 behind
a ELB (40 of them!)
The final setup Servers: Pure Go concurrent web/test
servers
The final setup SSL (later): CloudFlare
The final setup Cache (way later): 1hr on Amazon
NoSQL (DynamoDB)
The bug :(
The bug :(
Logging
Logging Only logged results No ads No analytics
% of vulnerable results
% of vulnerable hosts
The feedback
Help with the code
Credits for AWS
Donations
Reddit AMA
And… well, people
And… well, people
Q? A! @FiloSottile { https:// | hi@ } filippo.io
filosottile
himorishige
denyspoltorak
azukiazusa1
kekekenta
thatjeffsmith
mulyu
suguruooki
kazupon
javiergs
tetutetu214
448jp
helmedeiros
samlambert
marcelosomers
inesmontani
jnunemaker
retrage
vanstee
michaelherold
watany
charlesmeaden
hannesfritz
sstephenson
