HTTP/2 has vulnerabilities that threaten millions of pages

HTTP/2, as well know the professionals sector, is a protocol released a few months ago and enhances the original HTTP. Among other features, it eliminates existing bugs and improves performance of the first release. However, it seems that what was thought to be perfect it is not so. The protocol allows a greater number of messages in the exchange of them between computers and servers, allowing us to navigate more pages at the same time it will increase the loading speed. However, we should be careful.

http 2 protocol

Security researchers have discovered that the HTTP/2 protocol has a total of four major faults that may allow an attacker to slow down both web servers and make them fall completely. After some analysis, verified vulnerabilities that were already known and exploited in HTTP/1.X. We should note that the protocol is adopted by many pages for months, so that they could be in danger.

Failures allow attacks slow reading, similar to the Slowloris DDoS attacks, in addition to distributing denial of service so that the server response is slower. We must remember that the denial of service prevent, collapsing servers that services can function properly.

Also mention the attacks HPACK bomb (which allows the attacker to send messages that seemingly are small and safe, but become great), dependency cycle attack (which uses HTTP/2 flow control mechanisms) and stream multiplexing abuse (allowing benefit from failure multiplexing functionality in order to block the server).

For users who do not know yet, HTTP/2, or also known as HTTP/2.0, is a new generation of the HTTP protocol. Created by the HTTP group that based on the SPDY protocol from Google, this new generation was made to improve the loading speed of websites and other bugs, including the bug that causes the Err_SPDY_Protocol_Error error in Google Chrome.

Currently, more than 85 million pages use the HTTP/2 protocol, so they are vulnerable to attacks that we have mentioned. In any case, it is expected that the package maintainers can post an update or patch that avoids future problems, both in operation and safety.

Leave a Reply