Four major flaws found (and fixed) in HTTP/2

The speedier successor to HTTP had vulnerabilities, according to Imperva

The next version of the network protocol that holds up the web, HTTP/2, has four major security vulnerabilities. 

HTTP/2 is a speedier, more technically advanced version of the current HTTP 1.1, and is slowly being rolled out across the web after the standard was approved in February 2015. It is already supported by major browsers - Chrome, Firefox, IE11, Edge, Safari, and Opera - and is thought to be used by about one in ten websites. 

Imperva researchers first noticed the flaws in November 2015. "It was like dj vu all over again; five years had gone by since the last high-profile slow-read attack on HTTP 1.1  Slowloris attack  had taken down major credit card processors," the researchers said in a blog post.

Now, it was HTTP/2 that was at risk to such slow-read attacks, alongside three other attack vectors. "The [slow read] attack calls on a malicious client to read responses very slowly and is strikingly identical to the well-known Slowloris DDoS attack experienced by major credit card processors in 2010," they explained. 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Alongside that, they found it was possible to use a dependency cycle attack, which forces the server into an infinite loop, as well as stream multiplexing abuse, in which the hacker crashes a server to deny service to legitmate users. And then there is the HPACK bomb.

"This compression-layer attack resembles a zip bomb," the researchers said. "The attacker crafts small and seemingly innocent messages that turn into a significant amount of data (in gigabytes) on the server, bloating memory footprint and results in poor performance."

Despite the discovery of four major flaws, there's no reason to panic as the flaws are already fixed. "The vendors were notified of all the vulnerabilities described in this document before publishing," the Imperva report noted. "We coordinated a responsible disclosure process with Microsoft, Apache, Nginx, Jetty and nghttp communities to prevent these vulnerabilities from being exploited after the publication of this report. The mitigation of the vulnerabilities was through security fixes done in coordination with the vendors."

The flaws are not a surprise, the security company added. "Releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers," the report said, adding that it's up to everyone to examine such code before rolling it out too widely."

"It takes a village to raise a child," the report said. "And it pays to allow new technology to mature before planning for a significant change of infrastructure. Applying the same concept to new protocols, vendors alone cannot make a new protocol secure, it takes the full strength of the security industry to harden the extended attack surface."

HTTP/2 is a leap forward for the standard that underpins the web. One of its major benefits is the introduction of multiplexing and concurrency, which allows multiple requests to be sent in succession and out of order on the same TCP connection, cutting the need for multiple connections between the client machine and the server, Akamai notes. To see the difference in performance, check out Akamai's HTTP/2 demo here

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/security/cyber-security/354468/if-not-passwords-then-what
cyber security

If not passwords then what?

8 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/policy-legislation/31772/gdpr-and-brexit-how-will-one-affect-the-other
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020