Four major flaws found (and fixed) in HTTP/2

The speedier successor to HTTP had vulnerabilities, according to Imperva

The next version of the network protocol that holds up the web, HTTP/2, has four major security vulnerabilities. 

HTTP/2 is a speedier, more technically advanced version of the current HTTP 1.1, and is slowly being rolled out across the web after the standard was approved in February 2015. It is already supported by major browsers - Chrome, Firefox, IE11, Edge, Safari, and Opera - and is thought to be used by about one in ten websites. 

Imperva researchers first noticed the flaws in November 2015. "It was like dj vu all over again; five years had gone by since the last high-profile slow-read attack on HTTP 1.1  Slowloris attack  had taken down major credit card processors," the researchers said in a blog post.

Now, it was HTTP/2 that was at risk to such slow-read attacks, alongside three other attack vectors. "The [slow read] attack calls on a malicious client to read responses very slowly and is strikingly identical to the well-known Slowloris DDoS attack experienced by major credit card processors in 2010," they explained. 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Alongside that, they found it was possible to use a dependency cycle attack, which forces the server into an infinite loop, as well as stream multiplexing abuse, in which the hacker crashes a server to deny service to legitmate users. And then there is the HPACK bomb.

"This compression-layer attack resembles a zip bomb," the researchers said. "The attacker crafts small and seemingly innocent messages that turn into a significant amount of data (in gigabytes) on the server, bloating memory footprint and results in poor performance."

Despite the discovery of four major flaws, there's no reason to panic as the flaws are already fixed. "The vendors were notified of all the vulnerabilities described in this document before publishing," the Imperva report noted. "We coordinated a responsible disclosure process with Microsoft, Apache, Nginx, Jetty and nghttp communities to prevent these vulnerabilities from being exploited after the publication of this report. The mitigation of the vulnerabilities was through security fixes done in coordination with the vendors."

The flaws are not a surprise, the security company added. "Releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers," the report said, adding that it's up to everyone to examine such code before rolling it out too widely."

"It takes a village to raise a child," the report said. "And it pays to allow new technology to mature before planning for a significant change of infrastructure. Applying the same concept to new protocols, vendors alone cannot make a new protocol secure, it takes the full strength of the security industry to harden the extended attack surface."

HTTP/2 is a leap forward for the standard that underpins the web. One of its major benefits is the introduction of multiplexing and concurrency, which allows multiple requests to be sent in succession and out of order on the same TCP connection, cutting the need for multiple connections between the client machine and the server, Akamai notes. To see the difference in performance, check out Akamai's HTTP/2 demo here

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/microsoft-windows/354789/microsoft-pulls-disastrous-windows-10-security-update
Microsoft Windows

Microsoft pulls disastrous Windows 10 security update

17 Feb 2020
Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/business/business-operations/354790/hp-shareholders-invited-to-come-dine-with-xerox
Business operations

HP shareholders invited to come dine with Xerox

17 Feb 2020
Visit/operating-systems/27717/how-to-fix-a-stuck-windows-10-update
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020