Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Heartbleed test adventure @ Hack.lu 2014

Avatar for Filippo Valsorda Filippo Valsorda
October 21, 2014
Programming
160
0

The Heartbleed test adventure @ Hack.lu 2014

Avatar for Filippo Valsorda

Filippo Valsorda

October 21, 2014

More Decks by Filippo Valsorda

See All by Filippo Valsorda
Asynchronous networking @ GopherCon 2018
Avatar for Filippo Valsorda filosottile
3
2.2k
Le note cifrate di Antonio Marzi
Avatar for Filippo Valsorda filosottile
1
450
Why cgo is slow @ CapitalGo 2018
Avatar for Filippo Valsorda filosottile
2
4.9k
Squeezing a key through a carry bit @ 34c3
Avatar for Filippo Valsorda filosottile
0
1.8k
Calling Rust from Go, without cgo @ GothamGo 2017
Avatar for Filippo Valsorda filosottile
1
2.9k
You, latency and profiling @ GolangUK 2017
Avatar for Filippo Valsorda filosottile
0
1.3k
Encrypting the Internet with Go @ GopherCon 2017
Avatar for Filippo Valsorda filosottile
9
2.7k
You, latency and profiling @ GopherCon India 2017
Avatar for Filippo Valsorda filosottile
13
4.3k
TLS 1.3 @ 33c3
Avatar for Filippo Valsorda filosottile
4
7k

Other Decks in Programming

See All in Programming
AI時代のUIはどこへ行く?その2!
Avatar for Yusuke Wada yusukebe
19
6.6k
密結合なバックエンドから TypeScript のコードを生成する
Avatar for kemuridama kemuridama
1
720
The NotImplementedError Problem in Ruby
Avatar for Koichi ITO koic
1
570
Composerを使ったサプライチェーン攻撃の様子を眺めてみる #phpstudy
Avatar for hideki kinjyo o0h
PRO
2
220
AI 時代のソフトウェア設計の学び方
Avatar for 増田 亨 masuda220
PRO
29
12k
GitHub Copilot CLIのいいところ
Avatar for tkym htkym
2
1.3k
Spec Driven Development | AI Summit Lisbon
Avatar for Daniel Sogl danielsogl
PRO
0
150
生成AI時代にこそ効くGo | Why Go Works in the Age of Generative AI
Avatar for mom0tomo mom0tomo
8
3.1k
AI駆動開発勉強会 広島支部 第一回勉強会 AI駆動開発概要とワークショップ
Avatar for smz hyt hayatoshimiu
0
440
AI時代の仕事技芸論 — ソフトウェア開発で「遊ぶように働く」職人的熟達のすすめ
Avatar for Yoshihito Kuranuki / 倉貫義人 kuranuki
1
610
Javaの型とAI時代に型が大事な理由 / java types and type in AI era
Avatar for Naoki Kishida kishida
2
100
キャリア迷子上等 ─ "ない道"は自分で作ればいい
Avatar for 16bit_idol 16bitidol
2
330

Featured

See All Featured
Digital Ethics as a Driver of Design Innovation
Avatar for Per Axbom axbom
PRO
1
300
Leadership Guide Workshop - DevTernity 2021
Avatar for David Neal reverentgeek
1
300
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
46
2.8k
How to train your dragon (web standard)
Avatar for Monica Dinculescu notwaldorf
97
6.7k
The untapped power of vector embeddings
Avatar for Frank van Dijk frankvandijk
2
1.7k
エンジニアに許された特別な時間の終わり
Avatar for watany watany
107
250k
[SF Ruby Conf 2025] Rails X
Avatar for Vladimir Dementyev palkan
2
1.1k
Side Projects
Avatar for Sacha Greif sachag
455
43k
HU Berlin: Industrial-Strength Natural Language Processing with spaCy and Prodigy
Avatar for Ines Montani inesmontani
PRO
0
400
Designing for Performance
Avatar for Lara Hogan lara
611
70k
Color Theory Basics | Prateek | Gurzu
Avatar for Gurzu gurzu
0
350
Future Trends and Review - Lecture 12 - Web Technologies (1019888BNR)
Avatar for Beat Signer signer
PRO
0
3.6k

Transcript

  1. The  Heartbleed  test   adventure Filippo  Valsorda

  2. Filippo  Valsorda CloudFlare  security  team   @FiloSottile   I  mess

     with  cryptography.   And  open  source.   ! {  https://  |  hi@  }  filippo.io
  3. None

  4. What  is   Heartbleed

  5. Let’s  be  serious,   you  all  know  that!

  6. When  I  found  out   first  thing  was  looking  

    at  the  commit (        )
  7. None

  8. OK,  so  it’s  the  length.   But  it’s  still  not

     clear.   Let’s  check  the  RFC.
  9. None

  10. JACKPOT.   (why!?)

  11. The  first  version. (A  small  wrapper  and  a  patch  to

     crypto/tls)     • A  Go  tool

  12. 66 LoC

  13. 12 LoC

  14. The  first  version. (Calling  the  tool  for  each  request)  

      • A  Go  tool   • A  Python  HTTP  API

  15. 26 LoC

  16. The  first  version. • A  Go  tool   • A

     Python  HTTP  API   • A  GH  Pages  site (Static,  simple)    
  17. None

  18. And  suddenly…

  19. The  traffic!

  20. 2014-04-08T11:00:00Z (requests/min)

  21. 2014-04-09T00:00:00Z

  22. 2014-04-09T11:00:00Z

  23. 2014-04-10T00:00:00Z

  24. 2014-04-11T00:00:00Z

  25. 2014-04-17T00:00:00Z

  26. 2014-04-21T00:00:00Z

  27. And on, and on…

  28. 203,190,914  tests Total: in  the  first  14  days

  29. The  site  evolved,  so   quickly  that  it  was  

    hard  keeping  up!

  30. Initially  it  was  a  tool   for  industry  people

  31. Then  the  new  users:   First  from  the  media

  32. And  finally,   The  extensions!

  33. The  final  setup Website:   Static,  hosted  on   GitHub

     Pages

  34. The  final  setup Backend:   Amazon  AWS,   EC2  behind

     a  ELB   (40  of  them!)

  35. The  final  setup Servers:   Pure  Go  concurrent   web/test

     servers

  36. The  final  setup SSL  (later):   CloudFlare

  37. The  final  setup Cache  (way  later):   1hr  on  Amazon

      NoSQL  (DynamoDB)

  38. The  bug  :(

  39. The  bug  :(

  40. Logging

  41. Logging Only  logged  results No  ads No  analytics

  42. %  of  vulnerable  results

  43. %  of  vulnerable  hosts

  44. The  feedback

  45. Help  with  the  code  

  46. Credits  for  AWS

  47. Donations

  48. Reddit  AMA

  49. And…  well,  people

  50. And…  well,  people

  51. Q?  A! @FiloSottile   {  https://  |  hi@  }  filippo.io