Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The Heartbleed test adventure @ Hack.lu 2014
Search
Filippo Valsorda
October 21, 2014
Programming
0
140
The Heartbleed test adventure @ Hack.lu 2014
Filippo Valsorda
October 21, 2014
Tweet
Share
More Decks by Filippo Valsorda
See All by Filippo Valsorda
Asynchronous networking @ GopherCon 2018
filosottile
3
1.8k
Le note cifrate di Antonio Marzi
filosottile
1
290
Why cgo is slow @ CapitalGo 2018
filosottile
2
4k
Squeezing a key through a carry bit @ 34c3
filosottile
0
1.4k
Calling Rust from Go, without cgo @ GothamGo 2017
filosottile
1
2.3k
You, latency and profiling @ GolangUK 2017
filosottile
0
970
Encrypting the Internet with Go @ GopherCon 2017
filosottile
9
2.5k
You, latency and profiling @ GopherCon India 2017
filosottile
13
3.6k
TLS 1.3 @ 33c3
filosottile
4
6.4k
Other Decks in Programming
See All in Programming
Node.js v22 で変わること
yosuke_furukawa
PRO
9
3.4k
0→1と1→10の狭間で Javaという技術選定を振り返る/Reflecting on the Decision to Choose Java Between Scaling from 0 to 1 and 1 to 10
jaguar_imo
2
380
Goのエラースタックトレースの歴史と今後
sonatard
8
1.3k
Let's learn code review
riofujimon
1
270
Kotlin Multiplatform at Stable and Beyond (Android Makers 2024)
zsmb
0
210
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
370
Snowflakeで眠ったデータを起こそう!
estie
0
120
新宿ダンジョンを可視化してみた
satoshi7190
2
250
MicrosoftのPlatform Engineeringガイドを読んで実際になにかやってみた
ymd65536
1
330
Komplexe Oberflächen mit SVG und der Web Animation API
joergneumann
0
670
GraphQLサーバの構成要素を整理する #ハッカー鮨 #tsukijigraphql / graphql server technology selection
izumin5210
4
840
dbtのドメイン分割による データ基盤の改善とDigdagとの連携
sakama
0
310
Featured
See All Featured
Fashionably flexible responsive web design (full day workshop)
malarkey
398
65k
Statistics for Hackers
jakevdp
789
220k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
357
22k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
20
1.9k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
17
1.4k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
6
1.5k
Build your cross-platform service in a week with App Engine
jlugia
225
17k
Practical Orchestrator
shlominoach
182
9.7k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
241
1.2M
Web development in the modern age
philhawksworth
202
10k
Transcript
The Heartbleed test adventure Filippo Valsorda
Filippo Valsorda CloudFlare security team @FiloSottile I mess
with cryptography. And open source. ! { https:// | hi@ } filippo.io
None
What is Heartbleed
Let’s be serious, you all know that!
When I found out first thing was looking
at the commit ( )
None
OK, so it’s the length. But it’s still not
clear. Let’s check the RFC.
None
JACKPOT. (why!?)
The first version. (A small wrapper and a patch to
crypto/tls) • A Go tool
66 LoC
12 LoC
The first version. (Calling the tool for each request)
• A Go tool • A Python HTTP API
26 LoC
The first version. • A Go tool • A
Python HTTP API • A GH Pages site (Static, simple)
None
And suddenly…
The traffic!
2014-04-08T11:00:00Z (requests/min)
2014-04-09T00:00:00Z
2014-04-09T11:00:00Z
2014-04-10T00:00:00Z
2014-04-11T00:00:00Z
2014-04-17T00:00:00Z
2014-04-21T00:00:00Z
And on, and on…
203,190,914 tests Total: in the first 14 days
The site evolved, so quickly that it was
hard keeping up!
Initially it was a tool for industry people
Then the new users: First from the media
And finally, The extensions!
The final setup Website: Static, hosted on GitHub
Pages
The final setup Backend: Amazon AWS, EC2 behind
a ELB (40 of them!)
The final setup Servers: Pure Go concurrent web/test
servers
The final setup SSL (later): CloudFlare
The final setup Cache (way later): 1hr on Amazon
NoSQL (DynamoDB)
The bug :(
The bug :(
Logging
Logging Only logged results No ads No analytics
% of vulnerable results
% of vulnerable hosts
The feedback
Help with the code
Credits for AWS
Donations
Reddit AMA
And… well, people
And… well, people
Q? A! @FiloSottile { https:// | hi@ } filippo.io