After twelve years in the information security industry, I finally attended the Blackhat conference. It was great, especially the Hacker sessions and the interesting presentations from experts from around the globe. Behavior Baseline, Active Response, Security Analytics, and Public Key Cryptography were front and center in every conversation. However, from my perspective, in addition to these popular topics, HTTP/2-related discussions seemed to bubble up quite often.
The fact is HTTP/2 is here to stay, and its adoption is growing at a rapid pace. Within a year of its introduction, now more than 9.3% of 10 million websites comprising the Internet run HTTP/2.
The main new components in the HTTP/2 protocol are:
- Multiplexing–multiple streams can be concurrently carried over a single TCP connection
- Compression–HTTP headers are compressed using a combination of compression schemes (static Huffman coding and context adaptive coding)
- Flow control and dependency–mechanisms that allow HTTP/2 clients and servers to signal how to transmit objects
- Resource push–mechanism that facilitates pushing resources from HTTP/2 servers to their clients
HTTP/2 is faster than HTTP 1.1, has less development overhead, needs single TCP connections, supports multiplexing, request prioritization, server push and header compression. But, like any new protocol, HTTP/2 suffers from vulnerabilities that result in a botched deployment. At Imperva, our security researchers found four major flaws in server-side HTTP2 implementations of all the major vendors. In case you missed their Blackhat presentation, here are the four high-profile attack vectors found by the Imperva researchers:
- Slow Read – The attack calls on a malicious client to read responses very slowly and is identical to the well-known Slowloris DDoS attack experienced by major credit card processors in 2010. It is worth noting that despite the fact that Slow Read attacks were well studied in the HTTP/1.x ecosystem, they are still effective – this time in the application layer of HTTP/2 implementations. The Imperva Defense Center identified variants of this vulnerability across most popular web servers, including Apache, IIS, Jetty, NGINX and nghttp2.
- HPACK Bomb – This compression-layer attack resembles a zip bomb. The attacker crafts small and seemingly innocent messages that turn into gigabytes of data on the server. This consumes all the server memory resources and effectively makes it unavailable.
- Dependency Cycle Attack – The attack takes advantage of the flow control mechanisms that HTTP/2 introduced for network optimization. The malicious client crafts requests that induce a dependency cycle, which forces the server into an infinite loop as it tries to process these dependencies.
- Stream Multiplexing Abuse – The attacker uses flaws in the way servers implement the stream multiplexing functionality to crash the server. This ultimately results in a denial of service to legitimate users.
Read the in-depth analysis published in this detailed report and find out how you can roll out HTTP/2 without compromising security.