My best guess on the day was that enough material was in there that keys could be at risk. I recommended thatl customers rotate and revoke keys if they can, and our CISO and CEO took that as good enough and began that painful process.
-
-
Now it's widely used across AWS. Blows my mind to think that S3 is using it!https://github.com/awslabs/s2n
Show this thread -
s2n is coded specifically in a way to try to avoid the problem heartbleed hit. Rather than parse memory into integers using pointers directly, all across the code, s2n uses a "stuffer" data structure that includes a cursor. Similar to BoringSSL's crypto_bytes, or DJB's stralloc.
Show this thread -
Oh BoringSSL! In the months after HeartBleed, the industry rallied to get OpenSSL more funding and support through the core infrastructure initiative. We still take part! And the BoringSSL and LibreSSL forks of OpenSSL happened. Great work from each!
Show this thread -
The next year, the amazing
@BenLaurie and@trevp__ started an annual High Assurance Cryptography workshop after@RealWorldCrypto, that has also born fruits and helped us produce tools that can analyze cryptography code and find even subtle problems.Show this thread -
I'm almost done, but before I finish, I kind of depressing twist on this whole thing: The Heart Beat extension never really made any sense to begin with. A 0-byte record could have been used as a keep-alive, and ordinary path MTU discovery works for UDP!
Show this thread -
All of this trouble for a feature that to this day I can't even think of a good use case for. This is one reason why "Don't do less well. Do less, well." resonates with me as a motto.
Show this thread -
That's my story for now, until I remember something I forgot. Thanks to everyone who moved mountains 5 years ago. I'm in JFK waiting to fly to Bucharest, so AMA!
Show this thread
End of conversation
New conversation -
-
-
Impressive, but why weekends? What was happenings on weekdays?
-
Mostly it’s that I prefer to code for a few hours on weekends when there’s fewer interruptions, no meetings. I say yes to most meetings to help folks out. Every PE is a bit different balance.
End of conversation
New conversation -
-
-
Why did you have to do it on weekends?
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.