Security researchers have uncovered at least four flaws in the HTTP/2 protocol, the successor to HTTP that was launched properly only in May last year, after Google rolled up its SPDY project into HTTP/2 in February.
The flaws enable attackers to slow web servers by overwhelming them with seemingly innocent messages that carry a payload of gigabytes of data, putting them into infinite loops and even causing them to crash.
The HTTP/2 protocol can be divided into three layers: the transmission layer, including streams, frames and flow control; the HPACK binary encoding and compression protocol; and the semantic layer, which is an enhanced version of HTTP/1.1 enriched with server-push capabilities. But new research by Imperva (PDF) has highlighted what the security firm claims are four key vulnerabilities in HTTP/2. These are:
This attack calls on a malicious client to read responses very slowly, and is identical to the well known Slowloris distributed denial-of-service attack experienced by major credit card processors in 2010.
"Despite slow read attacks being well studied in the HTTP/1.x ecosystem, they are still effective, this time in the application layer of HTTP/2 implementations. The Imperva Defence Centre identified variants of this vulnerability across most popular web servers, including Apache, IIS, Jetty, NGINX and nghttp2," said Imperva.
This compression-layer attack resembles a 'decompression bomb'. The attacker crafts small and seemingly innocent messages that turn into gigabytes of data on the server. This consumes all the server memory resources and effectively makes it unavailable.
Dependency cycle attack
This attack takes advantage of the flow control mechanisms that HTTP/2 introduced for network optimisation. The malicious client crafts requests that induce a dependency cycle, which forces the server into an infinite loop as it tries to process these dependencies.
Stream multiplexing abuse
The attacker uses flaws in the way servers implement the stream multiplexing functionality to crash the server, resulting in a denial of service to legitimate users. The four flaws come at a time when deployment of HTTP/2 is expanding fast. Some 85 million websites, or around nine per cent of all websites, had adopted it by August 2016, according to W3Techs, less than one year after it was introduced.
"The general web performance improvements and specific enhancements for mobile applications introduced in HTTP/2 are a potential boon for internet users," said Amichai Shulman, co-founder and chief technology officer of Imperva. "However, releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers. While it is disturbing to see known HTTP 1.x threats introduced in HTTP/2, it's hardly surprising.
"As with all new technology, it is important for businesses to perform due diligence and implement safeguards to harden the extended attack surface and protect critical business and consumer data from ever-evolving cyber threats." The flaws take advantage of features of HTTP/2 that were intended to reduce bandwidth use and round trips, while speeding up the loading time of web pages. "The primary motivation for the transition into binary encoding and HPACK compression is to reduce bandwidth, while the other components are designed to reduce round trips and accelerate the loading time of complex web pages," said Imperva.
"Thus, HTTP/2 is expected to significantly improve the loading time and the overall browsing experience of web users while sometimes putting a heavier computational burden on servers." HTTP can be traced back to 1965 and the development of the client-server model of computing. It's a simple request-response protocol used by Sir Tim Berners-Lee when he was formulating the World Wide Web in 1989. HTTP/2 is based largely on Google's experimental SPDY project and is supported by Chrome, Opera, Firefox, Internet Explorer 11, Edge, Safari and Amazon Silk.