Four major flaws found (and fixed) in HTTP/2

The speedier successor to HTTP had vulnerabilities, according to Imperva

The next version of the network protocol that holds up the web, HTTP/2, has four major security vulnerabilities. 

HTTP/2 is a speedier, more technically advanced version of the current HTTP 1.1, and is slowly being rolled out across the web after the standard was approved in February 2015. It is already supported by major browsers - Chrome, Firefox, IE11, Edge, Safari, and Opera - and is thought to be used by about one in ten websites. 

Advertisement - Article continues below

Imperva researchers first noticed the flaws in November 2015. "It was like dj vu all over again; five years had gone by since the last high-profile slow-read attack on HTTP 1.1  Slowloris attack  had taken down major credit card processors," the researchers said in a blog post.

Now, it was HTTP/2 that was at risk to such slow-read attacks, alongside three other attack vectors. "The [slow read] attack calls on a malicious client to read responses very slowly and is strikingly identical to the well-known Slowloris DDoS attack experienced by major credit card processors in 2010," they explained. 

Alongside that, they found it was possible to use a dependency cycle attack, which forces the server into an infinite loop, as well as stream multiplexing abuse, in which the hacker crashes a server to deny service to legitmate users. And then there is the HPACK bomb.

Advertisement
Advertisement - Article continues below

"This compression-layer attack resembles a zip bomb," the researchers said. "The attacker crafts small and seemingly innocent messages that turn into a significant amount of data (in gigabytes) on the server, bloating memory footprint and results in poor performance."

Advertisement - Article continues below

Despite the discovery of four major flaws, there's no reason to panic as the flaws are already fixed. "The vendors were notified of all the vulnerabilities described in this document before publishing," the Imperva report noted. "We coordinated a responsible disclosure process with Microsoft, Apache, Nginx, Jetty and nghttp communities to prevent these vulnerabilities from being exploited after the publication of this report. The mitigation of the vulnerabilities was through security fixes done in coordination with the vendors."

The flaws are not a surprise, the security company added. "Releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers," the report said, adding that it's up to everyone to examine such code before rolling it out too widely."

"It takes a village to raise a child," the report said. "And it pays to allow new technology to mature before planning for a significant change of infrastructure. Applying the same concept to new protocols, vendors alone cannot make a new protocol secure, it takes the full strength of the security industry to harden the extended attack surface."

Advertisement - Article continues below

HTTP/2 is a leap forward for the standard that underpins the web. One of its major benefits is the introduction of multiplexing and concurrency, which allows multiple requests to be sent in succession and out of order on the same TCP connection, cutting the need for multiple connections between the client machine and the server, Akamai notes. To see the difference in performance, check out Akamai's HTTP/2 demo here

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020
Visit/business-strategy/it-infrastructure/356258/the-growing-case-for-it-flexibility
Sponsored

The growing case for IT flexibility

30 Jun 2020