This is pretty big. Heartbleed was exactly this but with the heartbeat extension instead of the session ticket extension, and with OpenSSL instead of F5's TLS implementation.
In the end it doesn't mean that Ticketbleed would reveal a private key more slowly. But since nobody proved that this vuln is exploitable... Heartbleed was proven exploitable thanks to Cloudflare who organized a challenge. (It was also easier to test for exploitability.)
Only thing it wonder is why would you 'test' for the bug with only 1 byte of memory leaked? False negatives would be a lot smaller if you reversed it and send a 1-byte session id and have 31 bytes to test.
He says "By picking 31 bytes I ensured the sensitive information leakage would be negligible." but if you don't save/inspect other than verifying it's not 31x0, I don't see the problem?
As I understand it from RFC 5077, when a client sends a session id + session ticket, a conforming server will only ever send back exactly the session id the client sent, or no session id. If the client sends a 31 byte session id, and gets back a 32 byte session id, it knows the server must be sending back some extra data (which may or may not contain any information).
If the first 31 bytes are not the same, then the server is likely generating a new session id, which is a bug but probably not leaking any information.
If the first 31 bytes are the same, then either the server is padding the session id with zeros (which, while buggy, would not be an information leak) or the server is sending back some uncleared memory. These cases could be checked by seeing if the padding is zero (which would have at least a 0.4% false negative rate with just the one byte) but the zgrab test in the article doesn't bother distinguishing them and just assumes any extra data may be an information leak.
EDIT: Re-reading RFC 5077 again, I'm not certain that the server is prohibited from sending back a new session id. If it is allowed to then the second paragraph above doesn't indicate a bug, just a rejection of the session ticket.
The session ID isn't encrypted and that means that a passive observer can intercept the test traffic and gain information. Filippo decided to protect against that possibility.
I found it cool also and ultimately I'm Filippo's boss. The fun part is that he found this by accident while debugging a customer problem and he worked quietly with F5 to disclose (so quietly I found out about this a couple of days ago).
Also Filippo does a good job of telling the story in his blog post. I don't get the "fallout for F5" part. A bug was found, a vendor informed, everyone worked together in a responsible manner. Happiness!
That really was a well written article. I know almost nothing about F5, TLS, Go, etc... and I had no trouble understanding the bug. Very educational. The man deserves a beer.
It's straightforward, it's not trying to shill Cloudflare products too much, it's not self-congratulatory, and it's told from the chronological first-person perspective of an engineer trying to debug a protocol issue and accidentally uncovering a critical vuln.
Basically, it wasn't written by a marketing department like most of these other company-found vuln disclosures.
The cause of that particular bug was that a ClientHello in that size range looked like a SSL2 (!) handshake, and these boxes were looking for a SSL2 handshake before looking for a SSL3 handshake: https://www.ietf.org/mail-archive/web/tls/current/msg10423.h...
Interestingly, this new "ticketbleed" vulnerability could completely erradicate that bug, in the quite probable case that all versions of the F5 software which fix ticketbleed also have the much older fix for that ClientHello bug.
Maybe I'm missing something, but I don't see how these issues are related. One is a compatibility workaround, the other is a vulnerability that exposes server memory to a remote attacker.
