Four major flaws found (and fixed) in HTTP/2

The speedier successor to HTTP had vulnerabilities, according to Imperva

The next version of the network protocol that holds up the web, HTTP/2, has four major security vulnerabilities. 

HTTP/2 is a speedier, more technically advanced version of the current HTTP 1.1, and is slowly being rolled out across the web after the standard was approved in February 2015. It is already supported by major browsers - Chrome, Firefox, IE11, Edge, Safari, and Opera - and is thought to be used by about one in ten websites. 

Advertisement - Article continues below

Imperva researchers first noticed the flaws in November 2015. "It was like dj vu all over again; five years had gone by since the last high-profile slow-read attack on HTTP 1.1  Slowloris attack  had taken down major credit card processors," the researchers said in a blog post.

Now, it was HTTP/2 that was at risk to such slow-read attacks, alongside three other attack vectors. "The [slow read] attack calls on a malicious client to read responses very slowly and is strikingly identical to the well-known Slowloris DDoS attack experienced by major credit card processors in 2010," they explained. 

Alongside that, they found it was possible to use a dependency cycle attack, which forces the server into an infinite loop, as well as stream multiplexing abuse, in which the hacker crashes a server to deny service to legitmate users. And then there is the HPACK bomb.

Advertisement
Advertisement - Article continues below

"This compression-layer attack resembles a zip bomb," the researchers said. "The attacker crafts small and seemingly innocent messages that turn into a significant amount of data (in gigabytes) on the server, bloating memory footprint and results in poor performance."

Advertisement - Article continues below

Despite the discovery of four major flaws, there's no reason to panic as the flaws are already fixed. "The vendors were notified of all the vulnerabilities described in this document before publishing," the Imperva report noted. "We coordinated a responsible disclosure process with Microsoft, Apache, Nginx, Jetty and nghttp communities to prevent these vulnerabilities from being exploited after the publication of this report. The mitigation of the vulnerabilities was through security fixes done in coordination with the vendors."

The flaws are not a surprise, the security company added. "Releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers," the report said, adding that it's up to everyone to examine such code before rolling it out too widely."

"It takes a village to raise a child," the report said. "And it pays to allow new technology to mature before planning for a significant change of infrastructure. Applying the same concept to new protocols, vendors alone cannot make a new protocol secure, it takes the full strength of the security industry to harden the extended attack surface."

Advertisement - Article continues below

HTTP/2 is a leap forward for the standard that underpins the web. One of its major benefits is the introduction of multiplexing and concurrency, which allows multiple requests to be sent in succession and out of order on the same TCP connection, cutting the need for multiple connections between the client machine and the server, Akamai notes. To see the difference in performance, check out Akamai's HTTP/2 demo here

Advertisement

Recommended

Visit/security/cyber-security/355185/165-million-britons-experienced-a-cyber-crime-in-the-past-year
cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Visit/cloud/amazon-web-services-aws/355183/aws-launches-amazon-detective
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020
Visit/security/privacy/355182/government-to-launch-coronavirus-contact-tracking-app
privacy

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020
Visit/software/video-conferencing/355180/zoom-does-not-use-end-to-end-encrypted
video conferencing

Zoom admits meetings don't use end-to-end encryption

1 Apr 2020

Most Popular

Visit/development/application-programming-interface-api/355192/apple-buys-dark-sky-weather-app-and-leaves
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
Visit/security/cyber-crime/355171/fbi-warns-of-zoom-bombing-hackers-amidst-coronavirus-usage-spike
cyber crime

FBI warns of ‘Zoom-bombing’ hackers amid coronavirus usage spike

31 Mar 2020
Visit/data-insights/data-management/355170/oracle-cloud-courses-are-free-during-coronavirus-lockdown
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020