$30 off During Our Annual Pro Sale. View Details »

The Heartbleed test adventure @ Hack.lu 2014

Avatar for Filippo Valsorda Filippo Valsorda
October 21, 2014
Programming
0
150

The Heartbleed test adventure @ Hack.lu 2014

Avatar for Filippo Valsorda

Filippo Valsorda

October 21, 2014
Tweet

More Decks by Filippo Valsorda

See All by Filippo Valsorda
Asynchronous networking @ GopherCon 2018
Avatar for Filippo Valsorda filosottile
3
2.1k
Le note cifrate di Antonio Marzi
Avatar for Filippo Valsorda filosottile
1
410
Why cgo is slow @ CapitalGo 2018
Avatar for Filippo Valsorda filosottile
2
4.7k
Squeezing a key through a carry bit @ 34c3
Avatar for Filippo Valsorda filosottile
0
1.7k
Calling Rust from Go, without cgo @ GothamGo 2017
Avatar for Filippo Valsorda filosottile
1
2.8k
You, latency and profiling @ GolangUK 2017
Avatar for Filippo Valsorda filosottile
0
1.2k
Encrypting the Internet with Go @ GopherCon 2017
Avatar for Filippo Valsorda filosottile
9
2.7k
You, latency and profiling @ GopherCon India 2017
Avatar for Filippo Valsorda filosottile
13
4.1k
TLS 1.3 @ 33c3
Avatar for Filippo Valsorda filosottile
4
6.9k

Other Decks in Programming

See All in Programming
30分でDoctrineの仕組みと使い方を完全にマスターする / phpconkagawa 2025 Doctrine
Avatar for Takashi Kanemoto ttskch
3
700
GeistFabrik and AI-augmented software development
Avatar for Ade Oshineye adewale
PRO
0
250
複数人でのCLI/Infrastructure as Codeの暮らしを良くする
Avatar for Shoma Okamoto shmokmt
5
2.1k
Microservices Platforms: When Team Topologies Meets Microservices Patterns
Avatar for Chris Richardson cer
PRO
1
910
Socio-Technical Evolution: Growing an Architecture and Its Organization for Fast Flow
Avatar for Chris Richardson cer
PRO
0
250
これだけで丸わかり!LangChain v1.0 アップデートまとめ
Avatar for os1ma os1ma
6
1.3k
大体よく分かるscala.collection.immutable.HashMap ~ Compressed Hash-Array Mapped Prefix-tree (CHAMP) ~
Avatar for matsu_chara matsu_chara
1
210
MAP, Jigsaw, Code Golf 振り返り会 by 関東Kaggler会|Jigsaw 15th Solution
Avatar for s.konishi hasibirok0
0
210
宅宅自以為的浪漫:跟 AI 一起為自己辦的研討會寫一個售票系統
Avatar for 高見龍 eddie
0
470
Level up your Gemini CLI - D&D Style!
Avatar for Riccardo Carlesso palladius
1
170
無秩序からの脱却 / Emergence from chaos
Avatar for nrs nrslib
2
12k
dotfiles 式年遷宮 令和最新版
Avatar for masawada masawada
1
640

Featured

See All Featured
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
35
2.3k
VelocityConf: Rendering Performance Case Studies
Avatar for Addy Osmani addyosmani
333
24k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
73
11k
A better future with KSS
Avatar for Kyle Neath kneath
240
18k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
58
6.1k
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
225
10k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
127
17k
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.7k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
253
22k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
140
34k
Into the Great Unknown - MozCon
Avatar for Noah Learner thekraken
40
2.2k

Transcript

  1. The  Heartbleed  test   adventure Filippo  Valsorda

  2. Filippo  Valsorda CloudFlare  security  team   @FiloSottile   I  mess

     with  cryptography.   And  open  source.   ! {  https://  |  hi@  }  filippo.io
  3. None

  4. What  is   Heartbleed

  5. Let’s  be  serious,   you  all  know  that!

  6. When  I  found  out   first  thing  was  looking  

    at  the  commit (        )
  7. None

  8. OK,  so  it’s  the  length.   But  it’s  still  not

     clear.   Let’s  check  the  RFC.
  9. None

  10. JACKPOT.   (why!?)

  11. The  first  version. (A  small  wrapper  and  a  patch  to

     crypto/tls)     • A  Go  tool

  12. 66 LoC

  13. 12 LoC

  14. The  first  version. (Calling  the  tool  for  each  request)  

      • A  Go  tool   • A  Python  HTTP  API

  15. 26 LoC

  16. The  first  version. • A  Go  tool   • A

     Python  HTTP  API   • A  GH  Pages  site (Static,  simple)    
  17. None

  18. And  suddenly…

  19. The  traffic!

  20. 2014-04-08T11:00:00Z (requests/min)

  21. 2014-04-09T00:00:00Z

  22. 2014-04-09T11:00:00Z

  23. 2014-04-10T00:00:00Z

  24. 2014-04-11T00:00:00Z

  25. 2014-04-17T00:00:00Z

  26. 2014-04-21T00:00:00Z

  27. And on, and on…

  28. 203,190,914  tests Total: in  the  first  14  days

  29. The  site  evolved,  so   quickly  that  it  was  

    hard  keeping  up!

  30. Initially  it  was  a  tool   for  industry  people

  31. Then  the  new  users:   First  from  the  media

  32. And  finally,   The  extensions!

  33. The  final  setup Website:   Static,  hosted  on   GitHub

     Pages

  34. The  final  setup Backend:   Amazon  AWS,   EC2  behind

     a  ELB   (40  of  them!)

  35. The  final  setup Servers:   Pure  Go  concurrent   web/test

     servers

  36. The  final  setup SSL  (later):   CloudFlare

  37. The  final  setup Cache  (way  later):   1hr  on  Amazon

      NoSQL  (DynamoDB)

  38. The  bug  :(

  39. The  bug  :(

  40. Logging

  41. Logging Only  logged  results No  ads No  analytics

  42. %  of  vulnerable  results

  43. %  of  vulnerable  hosts

  44. The  feedback

  45. Help  with  the  code  

  46. Credits  for  AWS

  47. Donations

  48. Reddit  AMA

  49. And…  well,  people

  50. And…  well,  people

  51. Q?  A! @FiloSottile   {  https://  |  hi@  }  filippo.io