28

I want to enable HTTP2 for several web servers but I'm worried about the possible security implications. I think about something like:

  • HTTP2 implementations are maybe more error prone than mature HTTP1 implementations so for example a zero-day is more likely
  • The WAF might not work with HTTP2 because it doesn't support the protocol

Are these problems really relevant and what could be additional problems?

40F4
  • 932
  • 6
  • 16
  • 2
    I'd say performance concerns easily outweigh the security concerns. Apache web server, for example, had [4 recent security vulnerabilities](https://http2.pro/doc/Apache#notes-1), but 3 of them are denial of service attacks with [low risk](http://httpd.apache.org/security/vulnerabilities_24.html). – AKS Jul 12 '17 at 11:22
  • 3
    For reference, Google, Facebook, Yahoo, Wikipedia, and Twitter all use HTTP/2. – Nick T Jul 12 '17 at 17:05
  • 3
    Don't get too excited about old software being intrinsically more secure, heartbleed was there for more than a decade, and shellshock is pretty ancient too. Sometimes software benefits from a rewrite with modern programming practices and hard earned experience. – trognanders Jul 13 '17 at 07:25

2 Answers2

19

HTTP/2 is a way more complex and new protocol than HTTP/1.x and thus bugs are at least initially more likely. In fact a simple search shows several implementation problems and also some new or updated attack vectors due to the changed design of HTTP/2.

The WAF might not work with HTTP2 because it doesn't support the protocol

This is probably less of a problem. A WAF is usually either integrated into the HTTP stack of the server or is an active component with its own HTTP stack. Due to the way HTTP/2 is designed an implicit downgrade to HTTP/1.x will happen if the server or WAF does not support HTTP/2. This is also true for proxies and other active components.

It will be a problem for purely passive inspection as done in some Intrusion Detection Systems or firewalls. But a purely passive inspection has problems with inspection of TLS traffic anyway and HTTP/2 is only used together with TLS. If instead the passive inspection is augmented with SSL interception then usually a downgrade to HTTP/1.x will happen again unless the SSL interception explicitly or unknowingly forwards the ALPN TLS extension to the HTTP/2 server during SSL interception.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 1
    OK, so the WAF won't stop working, because it will downgrade. But does that mean you won't get the benefits of http/2 either, because it downgraded to 1.1 anyway? – Adam Jul 12 '17 at 14:20
  • 1
    @Adam: exactly - you get neither the problems nor the benefits if downgrading. – Steffen Ullrich Jul 12 '17 at 14:33
15

It depends on your perspective.

If you are looking to it from the perspective of a website maintainer and caretaker, your two concerns are valid: HTTP/2 has been out less time than HTTP/1.1, and therefore software that speaks the protocol have had less time to mature. To the point, I would expect the combination of HTTP/2 and WAF is be a bumpy road at the moment. Also getting information and outsourcing security hardening for HTTP/2 is going to be more difficult than with HTTP/1.1. It should not be impossible though, judging by the amount of big sites (like this one) running HTTP/2.

On the other hand, if you are a web platform creator, are intimately familiar with HTTP/2 and happen to be the maintainer of your HTTP/2 edge implementation, then HTTP/2 is slightly more enabling than HTTP/1.1 when it comes to security. For starters, a lot of malware and annoying bots are still running on HTTP/1.1, and that is a strong signal for the security stack. Also, multiplexing makes it easier to track and attribute user-agent behavior. HTTP/2's binary framing eliminates security issues caused by incompatible implementations of HTTP/1.1 chunked-encoding and pipelining.

dsign
  • 403
  • 2
  • 8