Four major flaws found (and fixed) in HTTP/2

The speedier successor to HTTP had vulnerabilities, according to Imperva

The next version of the network protocol that holds up the web, HTTP/2, has four major security vulnerabilities. 

HTTP/2 is a speedier, more technically advanced version of the current HTTP 1.1, and is slowly being rolled out across the web after the standard was approved in February 2015. It is already supported by major browsers - Chrome, Firefox, IE11, Edge, Safari, and Opera - and is thought to be used by about one in ten websites. 

Imperva researchers first noticed the flaws in November 2015. "It was like dj vu all over again; five years had gone by since the last high-profile slow-read attack on HTTP 1.1  Slowloris attack  had taken down major credit card processors," the researchers said in a blog post.

Now, it was HTTP/2 that was at risk to such slow-read attacks, alongside three other attack vectors. "The [slow read] attack calls on a malicious client to read responses very slowly and is strikingly identical to the well-known Slowloris DDoS attack experienced by major credit card processors in 2010," they explained. 

Advertisement - Article continues below

Alongside that, they found it was possible to use a dependency cycle attack, which forces the server into an infinite loop, as well as stream multiplexing abuse, in which the hacker crashes a server to deny service to legitmate users. And then there is the HPACK bomb.

"This compression-layer attack resembles a zip bomb," the researchers said. "The attacker crafts small and seemingly innocent messages that turn into a significant amount of data (in gigabytes) on the server, bloating memory footprint and results in poor performance."

Despite the discovery of four major flaws, there's no reason to panic as the flaws are already fixed. "The vendors were notified of all the vulnerabilities described in this document before publishing," the Imperva report noted. "We coordinated a responsible disclosure process with Microsoft, Apache, Nginx, Jetty and nghttp communities to prevent these vulnerabilities from being exploited after the publication of this report. The mitigation of the vulnerabilities was through security fixes done in coordination with the vendors."

The flaws are not a surprise, the security company added. "Releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers," the report said, adding that it's up to everyone to examine such code before rolling it out too widely."

"It takes a village to raise a child," the report said. "And it pays to allow new technology to mature before planning for a significant change of infrastructure. Applying the same concept to new protocols, vendors alone cannot make a new protocol secure, it takes the full strength of the security industry to harden the extended attack surface."

HTTP/2 is a leap forward for the standard that underpins the web. One of its major benefits is the introduction of multiplexing and concurrency, which allows multiple requests to be sent in succession and out of order on the same TCP connection, cutting the need for multiple connections between the client machine and the server, Akamai notes. To see the difference in performance, check out Akamai's HTTP/2 demo here

Featured Resources

The essential guide to cloud-based backup and disaster recovery

Support business continuity by building a holistic emergency plan

Download now

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

How do vulnerabilities get into software?

90% of security incidents result from exploits against defects in software

Download now

Delivering the future of work - now

The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.

Download now



Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Amazon Web Services (AWS)

What to expect from AWS Re:Invent 2019

29 Nov 2019
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019
cyber security

Millions of text messages leaked through exposed TrueDialog server

2 Dec 2019