Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Heartbleed test adventure @ Hack.lu 2014

Avatar for Filippo Valsorda Filippo Valsorda
October 21, 2014
Programming
0
150

The Heartbleed test adventure @ Hack.lu 2014

Avatar for Filippo Valsorda

Filippo Valsorda

October 21, 2014
Tweet

More Decks by Filippo Valsorda

See All by Filippo Valsorda
Asynchronous networking @ GopherCon 2018
Avatar for Filippo Valsorda filosottile
3
2.1k
Le note cifrate di Antonio Marzi
Avatar for Filippo Valsorda filosottile
1
420
Why cgo is slow @ CapitalGo 2018
Avatar for Filippo Valsorda filosottile
2
4.7k
Squeezing a key through a carry bit @ 34c3
Avatar for Filippo Valsorda filosottile
0
1.7k
Calling Rust from Go, without cgo @ GothamGo 2017
Avatar for Filippo Valsorda filosottile
1
2.8k
You, latency and profiling @ GolangUK 2017
Avatar for Filippo Valsorda filosottile
0
1.2k
Encrypting the Internet with Go @ GopherCon 2017
Avatar for Filippo Valsorda filosottile
9
2.7k
You, latency and profiling @ GopherCon India 2017
Avatar for Filippo Valsorda filosottile
13
4.2k
TLS 1.3 @ 33c3
Avatar for Filippo Valsorda filosottile
4
6.9k

Other Decks in Programming

See All in Programming
生成AIを利用するだけでなく、投資できる組織へ
Avatar for pospome pospome
2
440
それ、本当に安全? ファイルアップロードで見落としがちなセキュリティリスクと対策
Avatar for ikechi penpeen
6
1.9k
メルカリのリーダビリティチームが取り組む、AI時代のスケーラブルな品質文化
Avatar for osari.k cloverrose
2
450
Vibe codingでおすすめの言語と開発手法
Avatar for uyuki uyuki234
0
160
令和最新版Android Studioで化石デバイス向けアプリを作る
Avatar for Sora Arakawa arkw
0
470
CSC307 Lecture 03
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
1
470
AI Agent Dojo #4: watsonx Orchestrate ADK体験
Avatar for Akira Onishi (IBM) oniak3ibm
PRO
0
120
実はマルチモーダルだった。ブラウザの組み込みAI🧠でWebの未来を感じてみよう #jsfes #gemini
Avatar for n0bisuke n0bisuke2
3
1.4k
CSC307 Lecture 04
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
620
GISエンジニアから見たLINKSデータ
Avatar for nokonoko1203 nokonoko1203
0
190
Python札幌 LT資料
Avatar for t3tra t3tra
7
1.1k
perlをWebAssembly上で動かすと何が嬉しいの??? / Where does Perl-on-Wasm actually make sense?
Avatar for mackee mackee
0
300

Featured

See All Featured
How To Speak Unicorn (iThemes Webinar)
Avatar for Michelle Schulp Hunt marktimemedia
1
360
The Spectacular Lies of Maps
Avatar for Per Axbom axbom
PRO
1
420
The agentic SEO stack - context over prompts
Avatar for schlessera schlessera
0
580
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.6k
brightonSEO & MeasureFest 2025 - Christian Goodrich - Winning strategies for Black Friday CRO & PPC
Avatar for Christian Goodrich cargoodrich
2
78
Avoiding the “Bad Training, Faster” Trap in the Age of AI
Avatar for Mike Taylor tmiket
0
49
Facilitating Awesome Meetings
Avatar for Lara Hogan lara
57
6.7k
Documentation Writing (for coders)
Avatar for Carmen Chung carmenintech
77
5.2k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
Avatar for soudai sone soudai
PRO
196
71k
Design in an AI World
Avatar for tapps tapps
0
110
A better future with KSS
Avatar for Kyle Neath kneath
240
18k
Scaling GitHub
Avatar for Zach Holman holman
464
140k

Transcript

  1. The  Heartbleed  test   adventure Filippo  Valsorda

  2. Filippo  Valsorda CloudFlare  security  team   @FiloSottile   I  mess

     with  cryptography.   And  open  source.   ! {  https://  |  hi@  }  filippo.io
  3. None

  4. What  is   Heartbleed

  5. Let’s  be  serious,   you  all  know  that!

  6. When  I  found  out   first  thing  was  looking  

    at  the  commit (        )
  7. None

  8. OK,  so  it’s  the  length.   But  it’s  still  not

     clear.   Let’s  check  the  RFC.
  9. None

  10. JACKPOT.   (why!?)

  11. The  first  version. (A  small  wrapper  and  a  patch  to

     crypto/tls)     • A  Go  tool

  12. 66 LoC

  13. 12 LoC

  14. The  first  version. (Calling  the  tool  for  each  request)  

      • A  Go  tool   • A  Python  HTTP  API

  15. 26 LoC

  16. The  first  version. • A  Go  tool   • A

     Python  HTTP  API   • A  GH  Pages  site (Static,  simple)    
  17. None

  18. And  suddenly…

  19. The  traffic!

  20. 2014-04-08T11:00:00Z (requests/min)

  21. 2014-04-09T00:00:00Z

  22. 2014-04-09T11:00:00Z

  23. 2014-04-10T00:00:00Z

  24. 2014-04-11T00:00:00Z

  25. 2014-04-17T00:00:00Z

  26. 2014-04-21T00:00:00Z

  27. And on, and on…

  28. 203,190,914  tests Total: in  the  first  14  days

  29. The  site  evolved,  so   quickly  that  it  was  

    hard  keeping  up!

  30. Initially  it  was  a  tool   for  industry  people

  31. Then  the  new  users:   First  from  the  media

  32. And  finally,   The  extensions!

  33. The  final  setup Website:   Static,  hosted  on   GitHub

     Pages

  34. The  final  setup Backend:   Amazon  AWS,   EC2  behind

     a  ELB   (40  of  them!)

  35. The  final  setup Servers:   Pure  Go  concurrent   web/test

     servers

  36. The  final  setup SSL  (later):   CloudFlare

  37. The  final  setup Cache  (way  later):   1hr  on  Amazon

      NoSQL  (DynamoDB)

  38. The  bug  :(

  39. The  bug  :(

  40. Logging

  41. Logging Only  logged  results No  ads No  analytics

  42. %  of  vulnerable  results

  43. %  of  vulnerable  hosts

  44. The  feedback

  45. Help  with  the  code  

  46. Credits  for  AWS

  47. Donations

  48. Reddit  AMA

  49. And…  well,  people

  50. And…  well,  people

  51. Q?  A! @FiloSottile   {  https://  |  hi@  }  filippo.io