vendorcheck: the simplest Go static analysis tool is a small tool that will make sure all your Go dependencies are properly vendored. It's so simple that it serves well as a static analysis tool skeleton, so I wrote a code-along that explains how to load and play with Go packages: Building the simplest… »

"LuckyMinus20": Yet Another Padding Oracle in OpenSSL CBC Cipher Suites

Early this week, a new OpenSSL error code padding oracle dropped. Padding oracles are one of the most fun crypto vulnerabilities, so I gave this one the full treatment: a ten lines PoC and CLI test, obviously based on a patched Go crypto/tls an… »

Shrink your Go binaries with this one weird trick

Ok, I lied, there's no weird trick. However, you can easily reduce a Go binary size by more than 6 times with some flags and common tools. Note: I don't actually believe a 30MB static binary is a problem in this day and age, and I would not trade (build… »

Understanding Metrics in the Age of the TSDB

Network and web applications generate metrics, which we usually just shovel into a library without thinking much about their true meaning or performance cost. This week I decided to read through the existing Go libraries, got halfway through writing my own, dropped it, and finally wrote this guide aimed at… »

Technical notes: mixing speaker and slides recording with FFmpeg

Usual disclaimer: "technical notes" posts are probably of zero interest to the blog followers and are just meant for Google. If they annoy, tell me and I'll get a wiki or something. In a past life I wrote FFmpeg filters, which has the interesting side effect of making you think… »

Coverage for end-to-end tests of Go programs

Getting coverage of Go unit tests (the ones in _test.go files) is easy, but there's no documented way to get coverage of tests run externally, against a running "main" binary, like integration tests. I wrote about a hack I used to solve this on the CloudFlare Blog. It amounts… »

Bleichenbacher'06 signature forgery in python-rsa

While looking at the source of python-rsa (>100K daily downloads) I found it vulnerable to a straightforward variant of the Bleichenbacher'06 attack against RSA signature verification with low public exponent. The bug allows us to forge signatures for arbitrary messages, as long as the public key has a low exponent… »

Most Go tools now work with GO15VENDOREXPERIMENT

tl;dr: 1.6 brings support for /vendor/ to most tools (like the oracle) out of the box; use the Beta to rebuild them. GO15VENDOREXPERIMENT is the native vendoring support added in Go 1.5. In short it allows you to put a package at a/vendor/x and import… »

SSLv2 redux: patching Go crypto/tls to work with IE6

tl;dr: Go crypto/tls servers can't understand a sad SSLv2-flavored compatibility trick IE6 and JDK 5/6 do, I updated a patch, don't use it. While doing large scale TLS measurement with a Go crypto/tls server for CloudFlare, I started seeing this error score pretty high in my… »

"Automated Testing with go-fuzz" @ GothamGo

In October I presented at GothamGo in NYC about what fuzzing is and how it can help you find bugs early in day to day development if you integrate it in your workflow. I specifically focused on Dmitry Vyukov's go-fuzz and provided an example of how I used it to… »

Creative foot-shooting with Go RWMutex

Hi, I'm Filippo and today I fucked up. I introduced (and caught in staging) a deadlock in RRDNS which didn't show up in tests. Unreleased RLock won't blow up until you call Lock. Read about it on the CloudFlare blog. Creative foot-shooting with Go RWMutex | CloudFlare Blog (archive)… »

Building Python modules with Go 1.5

tl;dr: with Go 1.5 you can build .so objects and import them as Python modules, running Go code (instead of C) directly from Python. Here's the code. The Go 1.5 release brings a number of nifty changes. The one we will be playing with today is the… »

DNS parser, meet Go fuzzer

I ran go-fuzz against and found some interesting crashers. I documented the whole process on the CloudFlare blog. There's a bonus: fuzzing is not only for crashes! DNS parser, meet Go fuzzer | CloudFlare Blog (archive)… »

A deep look at CVE-2015-5477

CVE-2015-5477 is a scary DoS in BIND9 capable of triggering a crash with a single packet. I interleaved the vulnerable code with my investigation of the bug on the CloudFlare blog. A deep look at CVE-2015-5477 | CloudFlare Blog (archive)… »


Here's a fun PoC I built thanks to Ben's dataset. I don't want to ruin the surprise, so just try this command. (It's harmless.) ssh For the security crowd: don't worry, I don't have any OpenSSH 0day and even if I did I wouldn't burn them on… »

Quick and dirty annotations for Go stack traces

When, like RRDNS, you have tens of thousands of goroutines stack traces become meaningless quickly. You know that a listener goroutine is stuck, but what's special about it? My trick is passing a recognizable integer to the goroutine when starting it. Read more details on the CloudFlare blog. Quick and… »

Technical notes: convert a partition image to a bootable disk image

I decided I will blog short technical guides when I do something undocumented. These are probably of zero interest to the blog followers and are just meant for Google. If they annoy, tell me and I'll get a wiki or something. I am moving a machine off Linode (old style… »

Setting Go variables at compile time

The tl;dr is that the Go linker -X option is awesome. Read about it on the CloudFlare blog. Setting Go variables from the outside | CloudFlare Blog (archive)… »

Go has a debugger—and it's awesome!

godebug is a clever Go debugger that rewrites the source of your program on the fly to enable breakpoints and stepping. Read about it on the CloudFlare blog. Go has a debugger—and it's awesome! | CloudFlare Blog (archive)… »

How Plex is doing HTTPS for all its users

This week Plex, a self-hosted media server, announced that they now offer TLS to secure all connections, including those to the user's servers. This is actually pretty interesting. Background A quick overview of the Plex architecture to understand why this is different from the average HTTPS deployment. The server is… »