Highest Voted 'http2' Questions - IT Security Stack Exchange

28

votes

2 answers

What are possible security problems of enabling HTTP2?

I want to enable HTTP2 for several web servers but I'm worried about the possible security implications. I think about something like: HTTP2 implementations are maybe more error prone than mature HTTP1 implementations so for example a zero-day is…

webserver waf http2

asked Jul 12 '17 at 06:34

40F4

932
6
16

22

votes

2 answers

Is there any point in having the HSTS header enabled when using HTTP/2?

As a protection against attacks such as SSLstrip, the HSTS header prevents an attacker from downgrading a connection from HTTPS to HTTP, as long as the attributes of the header are properly configured. However, HTTP/2, whilst not making encryption…

tls hsts sslstrip http2

asked Feb 18 '20 at 13:55

user96649

363
2
8

9

votes

1 answer

Does HTTP/2 prevent security vulnerabilites like CRLF injection?

Which vulnerabilites does HTTP/2 prevent? More specifically: Does it prevent HTTP request smuggling? Does it prevent HTTP response splitting / CRLF injection?

http software web http2 response-splitting

asked Jul 23 '20 at 07:29

Machine Yadav

153
7

9

votes

2 answers

Why doesn't the HTTP/2 spec require TLS?

Although no browser implements the full HTTP/2 spec right now limiting themselves to just the TLS part there are stories on the internet that this incomplete implementation of the spec is a way of resisting against the 'evil' lobbying of mobile…

tls http http2

asked Jan 29 '16 at 17:38

David Mulder

1,349
1
8
16

7

votes

2 answers

Alternative to client certificate authentication with HTTP/2

We are currently busy improving an Android application with connects to an Azure App Service API using client certificates and bearer token for authentication over TLS 1.2. We are investigating moving to HTTP/2 for bandwidth & performance…

appsec http2

asked Jun 13 '18 at 06:52

Preben Huybrechts

173
4

6

votes

2 answers

What are the security benefits or risks of HTTP/2?

Since HTTP/2 is starting to get adopted by more and more sites everyday. Are there any security benefits or known risks regarding HTTP/2?

http protocols internet risk http2

asked Mar 16 '17 at 21:37

Bob Ortiz

6,234
8
43
90

4

votes

2 answers

How to MiTM HTTP/2 Traffic

I recently had to MiTM an HTTP/2 connection over TLS and realized there is no MiTM tool out there that fully supports HTTP/2 over TLS, and no articles/blog posts written about this topic. After struggling with this for a while, I decided to post my…

tls man-in-the-middle http2

asked Mar 14 '19 at 21:58

c0mpute

81
4

4

votes

1 answer

What security benefits does ALPN bring to TLS?

I've been recommending Application-Layer Protocol Negotiation (the successor to Next Protocol Negotiation) to people for a while, but recently realised that I actually don't have a concrete example of its security benefits, despite the feature being…

tls http2

asked Jan 12 '17 at 11:37

Polynomial

132,208
43
298
379

3

votes

2 answers

Understanding blacklisted ciphers for HTTP2

I've been working on get HTTP2 support running on an Nginx server for some time now. At this point I'm stuck at selecting ciphers to support. Hopefully you can help me understand this. Before I started with getting HTTP2 to work, I made it a hobby…

tls ciphers http2

asked Jun 11 '16 at 22:19

Evy Bongers

131
1
3

2

votes

0 answers

What are NGINX reverseproxy users doing to prevent HTTP Request smuggling?

Since NGINX does not support sending HTTP/2 requests upstream, what are the present NGINX reverseproxy users doing to mitigate HTTP Request Smuggling vulnerability? I understand that the best way to prevent HTTP Request Smuggling is by sending…

http nginx http2 request-smuggling

asked Dec 09 '21 at 06:25

Sai Vishnu

21
1

2

votes

1 answer

Timeless timing attacks and response jitter

I've been researching timeless timing attacks, ie: timing attacks using concurrency rather than round trip time. Here is an article by portswigger with links to the original article by Van Goethem. Basically it says that if you pack two requests…

http tor side-channel timing-attack http2

asked Feb 22 '21 at 23:34

wade king

123
4

2

votes

3 answers

Why can't we use POST method for all requests?

It is known that sensitive information should not be transmitted in GET requests as GET requests will be cached and POST should be used. Why can't we use POST method for all request and ignoring GET request? What all difficulties/ barriers will be…

http http2

asked Mar 21 '17 at 06:52

Jaka

152
1
1
8

2

votes

2 answers

Cipher suite selection for compatibility with http/2, and TLS 1.0-1.2

I have been attempting to configure my site to have http/2 support, but I kept having to remove cipher suites because of the blacklist. Eventually, I got the list whittled down sufficiently. The problem, however, is that I only have a cipher suite…

cipher-selection http2

asked Mar 20 '16 at 07:11

Yet Another User

121
1
4

2

votes

1 answer

Are there strong technical reasons for browsers mandating TLS for http2?

I realise there are similar questions around this topic, however, I think this is sufficiently different/focused not to be a duplicate. I hope it doesn't sound like a soapbox piece. HTTP/2 effectively mandates TLS, since there isn't a mainstream…

tls http http2

asked Mar 13 '16 at 19:09

Phil Lello

1,122
10
15

1

vote

2 answers

CORS clarification

I need some clarifications about the problems that CORS (Cross-Origin Resource Sharing) can cause. Let's suppose that site A.COM has enabled CORS, in particular: Access-Control-Allow-Origin can be set to any website in the HTTP request and it is…

http csrf cors crossdomain http2

asked Mar 31 '18 at 18:09

Edge7

130
11

Questions tagged [http2]