This is an overview of HTTP2 and security features and issues.

1. HTTP/2
A Security Perspective

2. Who am I?
• Not a pen-tester <Not-yet/>
• Threat Analysis Engineer
• With NULL since 2009.
• PC Gamer
• https://github.com/sunilkr
• @_badbot

3. HTTP Trivia
•ISO-OSI Layer ?
•Official versions till dates?
•Rivaled by?
•How old is HTTP?

4. HTTP Trivia
•For most of us:
HTTP  WWW  Internet.

5. HTTP Evolution
• Started by Sir Tim Berners-Lee in 1989.
• Originally designed for transferring HyperText
(HTML).
• The intention was to create links between pages;
The “Web”.

6. HTTP/0.9
• Never an official version.
• No RFC.
• Specification is only a couple of pages.
• Clients requests an HyperText document, Server delivers.
• Client creates connection.
• Client sends GET request.
• Server sends HTML document.
• Server terminates connection marking end of message.
• Requests are idempotent.

7. HTTP/1.0
• RFC 1945 - May 1996.
• HTTP became a true messaging protocol.
• Defined request and response headers.
• Added methods:
• HEAD
• POST
• Added support for other media formats (MIME
Types).
• Basic Authentication.

8. HTTP/1.1
RFC 2068 in 1997 (obsoleted by RFC 2616 in 1999)
• Added more methods
• OPTIONS
• PUT
• DELETE
• TRACE
• CONNECT
• More status codes
• Reusable connection.
• Virtual Hosts.
• Bandwidth Management.
• Caching.
• Response streaming.

9. HTTP/1.1
Hyper Text Transfer Protocol
GET /download.html HTTP/1.1
Host: www.ethereal.com
User-Agent: Mozilla/5.0
Accept: text/html;q=0.9
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.ethereal.com/l
HTTP/1.1 200 OK
Date: Thu, 13 May 2004 10:17:12 GMT
Server: Apache
Last-Modified: Tue, 20 Apr 2004 13:17:00 GMT
ETag: "9a01a-4696-7e354b00"
Accept-Ranges: bytes
Content-Length: 18070
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=ISO-8859-1
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
…………

10. Why new HTTP?
• Inadequate use of TCP
• Not enough data in
request/responses.
• One transaction per round-trip.
• Head of line blocking
• Some requests may take longer
than others.
• Pipelining issues
• Few connections per host.
• Bloated HTTP headers
• Extremely large cookies
• Headers are not compressed.
Host: cat.hk.as.criteo.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0)
Gecko/20100101 Firefox/49.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://cas.criteo.com/delivery/afr.php?ptv=9&abp=1&zoneid=38
8248&cb=84495440049&nodis=1&charset=UTF-
8&dc=3&atfr=0&loc=https%3A%2F%2Fvanwilgenburg.wordpress.c
om%2F2015%2F11%2F22%2Fhow-to-capture-and-decode-http2-
traffic-with-wireshark%2F
Cookie:
eid=*1Ap7Pr2f7E5MRKE2nWevBcU%2bbUWL%2fuELr2TfCeknIxMr
e7BHXU6sl2NOQ4xTQMmmcE%2fpP%2f%2bjxgjT58Z7cfzeaEgdxXS
V8Qz7wMC5KYLeuAsFgza%2bISy%2bAQqOYhm%2bmQaI%2bshaK
0wLrQIDUhYtySDPYgiYB0g7Ncyx%2fbWiN%2fcVQc%2bwBbEN5EV
wYHNxqGp16wuoMx%2fBeDaihRV5HTFWsxXUImZAj5bXhai5mB0
9GzaWh%2brUlJ4Nd7hQdTpiZwm3faLd2YHKH1z9ApJQo%2bwpae
Z0Us6%2ffjHcleA6Qit5aTkR1HVNbtGU1kaSQarbWS5GGv0k5wp0lk
udhKVcSSp4VZQQPoF%2b1R1RM%2bObYZ%2fx71VmxY2iBV9wQLR
K7byMp%2fuPDnog7;
udc=*1LbahqkXZ3D4c7uvf%2fuPM6w%3d%3d;
zdi=*1b4U4KpFuuqNUwsFewyLzxQ%3d%3d; uid=c0789c78-f944-
4ff1-a605-515e662a5088;
__gads=ID=31ee0d4ce58ad5f9:T=1475937455:S=ALNI_MYSo0crw
SD7kqO6l4QkHSG463W3Fw
Connection: keep-alive

11. The big problem of Latency

12. Solving the Latency problem
•Spriting
• Partial images.
•Inlining
• data URI.
•Concatenation
• One big file.
•Sharding
• Multiple Virtual Hosts
• Cache-invalidation
issues.
• More data transferred
than actually required.
• Development mess.
• Browsers need to wait
more.
• Server administration
issues

13. HTTP/2 - Overview
• RFC 7540 published on 15th May 2015.
• RFC7541 defines HPACK.
• Based on SPDY/3.x by Google.
• Retains HTTP/1.x semantics.
• Retains http:// and https:// URL formats.
• Still using TCP.
• No more minor versions.
• Next is HTTP/3
• Reduces optional parts of HTTP.

14. HTTP/2 - Features
• Binary framing.
• Stream multiplexing.
• Priorities and Dependencies.
• Header compression.
• Server push.
• Flow control.
• Protocol upgrade.

15. HTTP/2 – Binary framing
• Total frame header (9 bytes)
• Length (3 bytes)
• 3 bytes (24 bits) unsigned int value
• Can be changed by sending SETTING_MAX_FRAME_SIZE
• Does not include header length.
• Type (1 byte)
• Frame type
• Flags (1 byte)
• Specific to frame type.
• Stream ID (4 bytes)
• Reserved (1 bit)
• ID (31 bits)
• Payload (<length> bytes)

16. HTTP/2 – Stream Multiplexing
• One packet may contain many STREAM (Multiplexed)
• STREAM can be split over multiple packets/frames
• CONTINUE frame
• STREAM has multiple frames
• HEADERS Frame
• DATA Frame
• Frame Types:
• PRIORITY
• RST_STREAM
• SETTINGS
• PUSH_PROMISE
• PING
• GO_AWAY
• WINDOW_UPDATE

17. HTTP/2 – Priorities & Dependencies
• Response may not be served in order of requests.
• Creates a dependency tree and assign weight.
• Prioritize streams based on weight.

18. HTTP/2 – Header Compression
• HPACK (RFC 7541)
• Pseudo-headers
• Uses 2 tables to map headers to
indexes and preserve ordering
• Static Table
• Used to index fixed list of standard
headers.
• Dynamic Table
• Used to index custom/non-standard
headers
• Strings and Integer values are
represented differently to save
space.
• Can use Huffman coding for
encoding actual values.
:method: GET
:scheme: http
:path: /
:authority: www.example.com
Byte Decoding Value
82 == Indexed - Add ==
idx = 2
:method: GET
86 == Indexed - Add ==
idx = 6
:scheme: http
84 == Indexed - Add ==
idx = 4
:path: /
41 == Literal indexed ==
Indexed name
(idx = 1)
:authority
0f Literal value (len = 15) 15
7777 772e 6578 616d 706c 652e 636f 6d www.example.com
8286 8441 0f77 7777 2e65 7861 6d70 6c65

19. HTTP/2 – Server Push
• Server sends data even before client requests.
• Client holds extra data in cache.
• Server sends a PUSH_PROMISE frame identifying pushed stream
• HEADERS frame of pushed stream is not like usual response
headers.
• Contains :path of pushed stream DATA.
• Client can reject pushed data.
• RST_STREAM.

20. HTTP/2 – Protocol Upgrade
• NPN (Next Protocol Negotiation)
• Designed for SPDY.
• Server’s offer, Client’s choice.
• Over TLS only.
• ALPN (Application Layer Protocol
Negotiation)
• HTTP/2 official.
• Client’s offer, Server’s choice.
• Part of TLS handshake.
• Upgrade header (Upgrade: h2c)
• To be used on un-encrypted HTTP.
• Requires 1 extra roundtrip.

21. HTTP/2 - Security
• Promoted TLS
• Minimum TLS version 1.2.
• Blacklisted Cipher-Suites.
• Minimum key-size requirement.
• No TLS renegotiation.
• Cross-protocol attacks
• TLS+ALPN.
• Not much in plain text.
• Intermediary Encapsulation Attacks
• Invalid header name/values should result in invalid request.
• Context aware compressi0n.
• BREACH/CRIME
• Frame Padding
• BREACH/CRIME

22. HTTP/2 – Security/2
• Huge rework for WAFs
• HTTP/2 is binary.
• Can use a proxy to translate to HTTP/1.1 traffic.
• Opportunistic encryption
• Alt-Svc header.
• Connection Reuse
• Action correlation.
• Caching of server push
• Limits on HEADERS block size
• Denial of Service
• Slow Read (CVE-2016-1546)
• HPACK Bomb (CVE-2016-1544, CVE-2016-2525)
• Dependency Cycle Attack (CVE-2015-8659)
• Stream Multiplexing Abuse (CVE-2016-0150)

23. The Future : QUIC
• Quick UDP Internet Connections
• TCP + TLS + HTTP/2 over UDP
• Long term enhancements to TCP
• No more 3 way handshake.
• Reduced Round Trip.
• Connection Migration.
• Proactive speculative retransmission.
• Automatic fallback to TCP.

24. You have a
question!?
All images are found via Google search. They belong to their respective owners.