Go

"Don't communicate by sharing memory, share memory by communicating."

Live streaming Cryptopals

tl;dr: I'm livecoding the Cryptopals in Go on Twitch, one set every Sunday. The recordings are on YouTube. Oh, wow. I love the idea. Would anyone here seriously watch 20 to 40 hours of me doing crypto, math and Go? Mic, screen, and everything. https://t.co/jx3s736bGm—…

A secure captive portal browser with automatic DNS detection

Captive portals are the worst. Flaky detection. The OS and browser try to detect these annoying network features but fail quite often, leaving you with broken connections. DID YOU KNOW that probe-based captive portal detection really doesn't work very well, with ~30% FP *and* ~30% FN rate in…

Playing with kernel TLS in Linux 4.13 and Go

Linux 4.13 introduces support for nothing less than... TLS! The 1600 LoC patch allows userspace to pass the kernel the encryption keys for an established connection, making encryption happen transparently inside the kernel. The only ciphersuite supported is AES-128-GCM as per RFC 5288, meaning it only supports TLS version…

restic cryptography

tl;dr: this is not an audit nor an endorsement and I take no responsibility, but I had a quick look at the crypto and I think I'm going to use restic for my personal backups. I keep hearing good things about restic. I am redoing my storage solution, and…

rustgo: calling Rust from Go with near-zero overhead

[русский] Go has good support for calling into assembly, and a lot of the fast cryptographic code in the stdlib is carefully optimized assembly, bringing speedups of over 20 times. However, writing assembly code is hard, reviewing it is possibly harder, and cryptography is unforgiving. Wouldn't it be nice if…

Cleaning up my GOPATH with Homebrew

tl;dr: use the script at the bottom to go get into the Homebrew "Cellar" and keep your GOPATH clean. I personally like GOPATH and import paths, but while trying to reduce my laptop to a thin reproducible client, I felt the pain of keeping track of the hundreds of…

Reproducing Go binaries byte-by-byte

Fully reproducible builds are important because they bridge the gap between auditable open source and convenient binary artifacts. Technologies like TUF and Binary Transparency provide accountability for what binaries are shipped to users, but that's of limited utility if there is no way (short of reverse engineering) of proving that…

Go Time #32 - Hellogopher, whosthere?

I joined Erik St. Martin, Carlisia Pinto and Brian Ketelsen for episode #32 of the Go Time podcast to chat about Hellogopher, whosthere (whoami.filippo.io), $GOPATH, TLS 1.3, Cloudflare's secret reverse proxy, and more. Go Time #32 — Hellogopher, whosthere? with Filippo Valsorda hellogopher — "just clone and make" The…

So you want to expose Go on the Internet

I was asked to contribute a post to the excellent Gopher Academy advent series. I took the occasion to write down what I learned deploying a Go service on the Cloudflare edge. The result is a catalogue of what you need to know before you drop NGINX from in front…

The complete guide to Go net/http timeouts

I got an occasion to do a deep dive into net/http recently, and wrote a post about all the different timeouts you can set on the client and server side. How they work, how they interact and how to use them. The complete guide to Go net/http timeouts…

Analyzing Go Vendoring with BigQuery

GitHub published a snapshot of all the public open-source repositories to BigQuery and Francesc used it to draw some cool statistics about Go projects. I used the same dataset to analyze how the Go ecosystem does vendoring. Disclosure: there's some ego stroking here, as I'm the author of gvt. (Try…

Stale GOROOT and gorebuild

GOROOT is the path where the Go stdlib and tools reside. To make setting up Go easier, the (default) GOROOT is hardcoded in the go binary. Normally it's /usr/local/go, but if you build Go yourself it'll be whatever path you built it in. If you install Go with…

vendorcheck: the simplest Go static analysis tool

github.com/FiloSottile/vendorcheck is a small tool that will make sure all your Go dependencies are properly vendored. It's so simple that it serves well as a static analysis tool skeleton, so I wrote a code-along that explains how to load and play with Go packages: Building the simplest…

Shrink your Go binaries with this one weird trick

Ok, I lied, there's no weird trick. However, you can easily reduce a Go binary size by more than 6 times with some flags and common tools. Note: I don't actually believe a 30MB static binary is a problem in this day and age, and I would not trade (build…

Coverage for end-to-end tests of Go programs

Getting coverage of Go unit tests (the ones in _test.go files) is easy, but there's no documented way to get coverage of tests run externally, against a running "main" binary, like integration tests. I wrote about a hack I used to solve this on the CloudFlare Blog. It amounts…

Most Go tools now work with GO15VENDOREXPERIMENT

tl;dr: 1.6 brings support for /vendor/ to most tools (like the oracle) out of the box; use the Beta to rebuild them. GO15VENDOREXPERIMENT is the native vendoring support added in Go 1.5. In short it allows you to put a package at a/vendor/x and import…

SSLv2 redux: patching Go crypto/tls to work with IE6

tl;dr: Go crypto/tls servers can't understand a sad SSLv2-flavored compatibility trick IE6 and JDK 5/6 do, I updated a patch, don't use it. While doing large scale TLS measurement with a Go crypto/tls server for CloudFlare, I started seeing this error score pretty high in my…

"Automated Testing with go-fuzz" @ GothamGo

In October I presented at GothamGo in NYC about what fuzzing is and how it can help you find bugs early in day to day development if you integrate it in your workflow. I specifically focused on Dmitry Vyukov's go-fuzz and provided an example of how I used it to…

Creative foot-shooting with Go RWMutex

Hi, I'm Filippo and today I fucked up. I introduced (and caught in staging) a deadlock in RRDNS which didn't show up in tests. Unreleased RLock won't blow up until you call Lock. Read about it on the CloudFlare blog. Creative foot-shooting with Go RWMutex | CloudFlare Blog (archive)…

Building Python modules with Go 1.5

tl;dr: with Go 1.5 you can build .so objects and import them as Python modules, running Go code (instead of C) directly from Python. Here's the code. The Go 1.5 release brings a number of nifty changes. The one we will be playing with today is the…