Elsewhere

Links to writings of mine published elsewhere.

Go Time #32 - Hellogopher, whosthere?

I joined Erik St. Martin, Carlisia Pinto and Brian Ketelsen for episode #32 of the Go Time podcast to chat about Hellogopher, whosthere (whoami.filippo.io), $GOPATH, TLS 1.3, Cloudflare's secret reverse proxy, and more. Go Time #32 — Hellogopher, whosthere? with Filippo Valsorda hellogopher — "just clone and make" The…

So you want to expose Go on the Internet

I was asked to contribute a post to the excellent Gopher Academy advent series. I took the occasion to write down what I learned deploying a Go service on the Cloudflare edge. The result is a catalogue of what you need to know before you drop NGINX from in front…

TLS nonce-nse

Starting a series of blog posts on TLS 1.3, I published my notes on the landscape of cipher nonces in TLS across versions, to help me clean up the implementation. Comes with hand-drawn diagrams! TLS nonce-nse | CloudFlare Blog (archive)…

An overview of TLS 1.3

I presented TLS 1.3 to the CloudFlare London office. Why it's faster, how it works, why it's safer, what's clever about it. The talk is recorded and comes with colored diagrams. There's a transcript on the CloudFlare blog. Update: you might want to watch my 33c3 talk on the…

The complete guide to Go net/http timeouts

I got an occasion to do a deep dive into net/http recently, and wrote a post about all the different timeouts you can set on the client and server side. How they work, how they interact and how to use them. The complete guide to Go net/http timeouts…

vendorcheck: the simplest Go static analysis tool

github.com/FiloSottile/vendorcheck is a small tool that will make sure all your Go dependencies are properly vendored. It's so simple that it serves well as a static analysis tool skeleton, so I wrote a code-along that explains how to load and play with Go packages: Building the simplest…

"LuckyMinus20": Yet Another Padding Oracle in OpenSSL CBC Cipher Suites

Early this week, a new OpenSSL error code padding oracle dropped. Padding oracles are one of the most fun crypto vulnerabilities, so I gave this one the full treatment: a ten lines PoC and CLI test, obviously based on a patched Go crypto/tls https://github.com/FiloSottile/CVE-2016-2107 an…

Coverage for end-to-end tests of Go programs

Getting coverage of Go unit tests (the ones in _test.go files) is easy, but there's no documented way to get coverage of tests run externally, against a running "main" binary, like integration tests. I wrote about a hack I used to solve this on the CloudFlare Blog. It amounts…

Creative foot-shooting with Go RWMutex

Hi, I'm Filippo and today I fucked up. I introduced (and caught in staging) a deadlock in RRDNS which didn't show up in tests. Unreleased RLock won't blow up until you call Lock. Read about it on the CloudFlare blog. Creative foot-shooting with Go RWMutex | CloudFlare Blog (archive)…

DNS parser, meet Go fuzzer

I ran go-fuzz against github.com/miekg/dns and found some interesting crashers. I documented the whole process on the CloudFlare blog. There's a bonus: fuzzing is not only for crashes! DNS parser, meet Go fuzzer | CloudFlare Blog (archive)…

A deep look at CVE-2015-5477

CVE-2015-5477 is a scary DoS in BIND9 capable of triggering a crash with a single packet. I interleaved the vulnerable code with my investigation of the bug on the CloudFlare blog. A deep look at CVE-2015-5477 | CloudFlare Blog (archive)…

Quick and dirty annotations for Go stack traces

When, like RRDNS, you have tens of thousands of goroutines stack traces become meaningless quickly. You know that a listener goroutine is stuck, but what's special about it? My trick is passing a recognizable integer to the goroutine when starting it. Read more details on the CloudFlare blog. Quick and…

Setting Go variables at compile time

The tl;dr is that the Go linker -X option is awesome. Read about it on the CloudFlare blog. Setting Go variables from the outside | CloudFlare Blog (archive)…

Go has a debugger—and it's awesome!

godebug is a clever Go debugger that rewrites the source of your program on the fly to enable breakpoints and stepping. Read about it on the CloudFlare blog. Go has a debugger—and it's awesome! | CloudFlare Blog (archive)…

Logjam explained

Logjam is a downgrade attack against the TLS protocol itself which exploits EXPORT ciphersuites. I wrote a long explanation of how the attack works and its background (what Diffie-Hellman is and how exactly it's used in the TLS handshake) on the CloudFlare blog. Logjam: the latest TLS vulnerability explained | CloudFlare…