Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Heartbleed test adventure @ Hack.lu 2014

Avatar for Filippo Valsorda Filippo Valsorda
October 21, 2014
Programming
0
160

The Heartbleed test adventure @ Hack.lu 2014

Avatar for Filippo Valsorda

Filippo Valsorda

October 21, 2014
Tweet

More Decks by Filippo Valsorda

See All by Filippo Valsorda
Asynchronous networking @ GopherCon 2018
Avatar for Filippo Valsorda filosottile
3
2.1k
Le note cifrate di Antonio Marzi
Avatar for Filippo Valsorda filosottile
1
430
Why cgo is slow @ CapitalGo 2018
Avatar for Filippo Valsorda filosottile
2
4.8k
Squeezing a key through a carry bit @ 34c3
Avatar for Filippo Valsorda filosottile
0
1.8k
Calling Rust from Go, without cgo @ GothamGo 2017
Avatar for Filippo Valsorda filosottile
1
2.9k
You, latency and profiling @ GolangUK 2017
Avatar for Filippo Valsorda filosottile
0
1.2k
Encrypting the Internet with Go @ GopherCon 2017
Avatar for Filippo Valsorda filosottile
9
2.7k
You, latency and profiling @ GopherCon India 2017
Avatar for Filippo Valsorda filosottile
13
4.2k
TLS 1.3 @ 33c3
Avatar for Filippo Valsorda filosottile
4
6.9k

Other Decks in Programming

See All in Programming
DSPy入門 Pythonで実現する自動プロンプト最適化 〜人手によるプロンプト調整からの卒業〜
Avatar for sea-turt1e seaturt1e
1
690
encoding/json/v2のUnmarshalはこう変わった:内部実装で見る設計改善
Avatar for Hiroki Kurasawa kurakura0916
0
400
オブザーバビリティ駆動開発って実際どうなの?
Avatar for yohfee yohfee
3
830
Cyrius ーLinux非依存にコンテナをネイティブ実行する専用OSー
Avatar for n4mlz n4mlz
0
130
The Past, Present, and Future of Enterprise Java
Avatar for ivargrimstad ivargrimstad
0
220
AIに任せる範囲を安全に広げるためにやっていること
Avatar for Masashi Fukuzawa fukucheee
0
130
Claude Codeセッション現状確認 2026福岡 / fukuoka-aicoding-00-beacon
Avatar for monochromegane monochromegane
4
410
Codexに役割を持たせる 他のAIエージェントと組み合わせる実務Tips
Avatar for o8n o8n
4
1.3k
AI Assistants for Your Angular Solutions
Avatar for Manfred Steyer manfredsteyer
PRO
0
130
ふつうのRubyist、ちいさなデバイス、大きな一年 / Ordinary Rubyists, Tiny Devices, Big Year
Avatar for chobishiba chobishiba
1
430
maplibre-gl-layers - 地図に移動体たくさん表示したい
Avatar for Kouji Matsui kekyo
PRO
0
250
受け入れテスト駆動開発(ATDD)×AI駆動開発 AI時代のATDDの取り組み方を考える
Avatar for Takasaki Kazunari kztakasaki
2
560

Featured

See All Featured
Everyday Curiosity
Avatar for Cassini Nazir cassininazir
0
160
Taking LLMs out of the black box: A practical guide to human-in-the-loop distillation
Avatar for Ines Montani inesmontani
PRO
3
2.1k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
Avatar for Eileen M. Uchitelle eileencodes
141
35k
Public Speaking Without Barfing On Your Shoes - THAT 2023
Avatar for David Neal reverentgeek
1
330
HDC tutorial
Avatar for Michiel Stock michielstock
1
530
How To Stay Up To Date on Web Technology
Avatar for Chris Coyier chriscoyier
790
250k
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
Avatar for Mfonobong Umondia mfonobong
2
310
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
Avatar for MADOX madoxten
61
52k
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
247
13k
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
249
1.3M
How To Speak Unicorn (iThemes Webinar)
Avatar for Michelle Schulp Hunt marktimemedia
1
410
Mind Mapping
Avatar for Hélio Medeiros helmedeiros
PRO
1
120

Transcript

  1. The  Heartbleed  test   adventure Filippo  Valsorda

  2. Filippo  Valsorda CloudFlare  security  team   @FiloSottile   I  mess

     with  cryptography.   And  open  source.   ! {  https://  |  hi@  }  filippo.io
  3. None

  4. What  is   Heartbleed

  5. Let’s  be  serious,   you  all  know  that!

  6. When  I  found  out   first  thing  was  looking  

    at  the  commit (        )
  7. None

  8. OK,  so  it’s  the  length.   But  it’s  still  not

     clear.   Let’s  check  the  RFC.
  9. None

  10. JACKPOT.   (why!?)

  11. The  first  version. (A  small  wrapper  and  a  patch  to

     crypto/tls)     • A  Go  tool

  12. 66 LoC

  13. 12 LoC

  14. The  first  version. (Calling  the  tool  for  each  request)  

      • A  Go  tool   • A  Python  HTTP  API

  15. 26 LoC

  16. The  first  version. • A  Go  tool   • A

     Python  HTTP  API   • A  GH  Pages  site (Static,  simple)    
  17. None

  18. And  suddenly…

  19. The  traffic!

  20. 2014-04-08T11:00:00Z (requests/min)

  21. 2014-04-09T00:00:00Z

  22. 2014-04-09T11:00:00Z

  23. 2014-04-10T00:00:00Z

  24. 2014-04-11T00:00:00Z

  25. 2014-04-17T00:00:00Z

  26. 2014-04-21T00:00:00Z

  27. And on, and on…

  28. 203,190,914  tests Total: in  the  first  14  days

  29. The  site  evolved,  so   quickly  that  it  was  

    hard  keeping  up!

  30. Initially  it  was  a  tool   for  industry  people

  31. Then  the  new  users:   First  from  the  media

  32. And  finally,   The  extensions!

  33. The  final  setup Website:   Static,  hosted  on   GitHub

     Pages

  34. The  final  setup Backend:   Amazon  AWS,   EC2  behind

     a  ELB   (40  of  them!)

  35. The  final  setup Servers:   Pure  Go  concurrent   web/test

     servers

  36. The  final  setup SSL  (later):   CloudFlare

  37. The  final  setup Cache  (way  later):   1hr  on  Amazon

      NoSQL  (DynamoDB)

  38. The  bug  :(

  39. The  bug  :(

  40. Logging

  41. Logging Only  logged  results No  ads No  analytics

  42. %  of  vulnerable  results

  43. %  of  vulnerable  hosts

  44. The  feedback

  45. Help  with  the  code  

  46. Credits  for  AWS

  47. Donations

  48. Reddit  AMA

  49. And…  well,  people

  50. And…  well,  people

  51. Q?  A! @FiloSottile   {  https://  |  hi@  }  filippo.io