SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
4 Aug 2016

Flaws hit HTTP/2 protocol that could allow hackers to disrupt servers

Security researchers have uncovered at least four flaws in the HTTP/2 protocol, the successor to HTTP that was launched properly only in May last year, after Google rolled up its SPDY project into HTTP/2 in February.

The flaws enable attackers to slow web servers by overwhelming them with seemingly innocent messages that carry a payload of gigabytes of data, putting them into infinite loops and even causing them to crash.

The HTTP/2 protocol can be divided into three layers: the transmission layer, including streams, frames and flow control; the HPACK binary encoding and compression protocol; and the semantic layer, which is an enhanced version of HTTP/1.1 enriched with server-push capabilities. But new research by Imperva (PDF) has highlighted what the security firm claims are four key vulnerabilities in HTTP/2. These are:

Slow read

This attack calls on a malicious client to read responses very slowly, and is identical to the well known Slowloris distributed denial-of-service attack experienced by major credit card processors in 2010.

"Despite slow read attacks being well studied in the HTTP/1.x ecosystem, they are still effective, this time in the application layer of HTTP/2 implementations. The Imperva Defence Centre identified variants of this vulnerability across most popular web servers, including Apache, IIS, Jetty, NGINX and nghttp2," said Imperva.

HPACK bomb

This compression-layer attack resembles a 'decompression bomb'. The attacker crafts small and seemingly innocent messages that turn into gigabytes of data on the server. This consumes all the server memory resources and effectively makes it unavailable.

Dependency cycle attack

This attack takes advantage of the flow control mechanisms that HTTP/2 introduced for network optimisation. The malicious client crafts requests that induce a dependency cycle, which forces the server into an infinite loop as it tries to process these dependencies.

Stream multiplexing abuse

The attacker uses flaws in the way servers implement the stream multiplexing functionality to crash the server, resulting in a denial of service to legitimate users. The four flaws come at a time when deployment of HTTP/2 is expanding fast. Some 85 million websites, or around nine per cent of all websites, had adopted it by August 2016, according to W3Techs, less than one year after it was introduced.

"The general web performance improvements and specific enhancements for mobile applications introduced in HTTP/2 are a potential boon for internet users," said Amichai Shulman, co-founder and chief technology officer of Imperva. "However, releasing a large amount of new code into the wild in a short time creates an excellent opportunity for attackers. While it is disturbing to see known HTTP 1.x threats introduced in HTTP/2, it's hardly surprising.

"As with all new technology, it is important for businesses to perform due diligence and implement safeguards to harden the extended attack surface and protect critical business and consumer data from ever-evolving cyber threats." The flaws take advantage of features of HTTP/2 that were intended to reduce bandwidth use and round trips, while speeding up the loading time of web pages. "The primary motivation for the transition into binary encoding and HPACK compression is to reduce bandwidth, while the other components are designed to reduce round trips and accelerate the loading time of complex web pages," said Imperva.

"Thus, HTTP/2 is expected to significantly improve the loading time and the overall browsing experience of web users while sometimes putting a heavier computational burden on servers." HTTP can be traced back to 1965 and the development of the client-server model of computing. It's a simple request-response protocol used by Sir Tim Berners-Lee when he was formulating the World Wide Web in 1989. HTTP/2 is based largely on Google's experimental SPDY project and is supported by Chrome, Opera, Firefox, Internet Explorer 11, Edge, Safari and Amazon Silk.

Tags:
information leaks
Source:
TheINQUIRER
1625
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015