Questions tagged [http2]
24 questions
28
votes
2 answers
What are possible security problems of enabling HTTP2?
I want to enable HTTP2 for several web servers but I'm worried about the possible security implications. I think about something like:
HTTP2 implementations are maybe more error prone than mature HTTP1 implementations so for example a zero-day is…
40F4
- 932
- 6
- 16
22
votes
2 answers
Is there any point in having the HSTS header enabled when using HTTP/2?
As a protection against attacks such as SSLstrip, the HSTS header prevents an attacker from downgrading a connection from HTTPS to HTTP, as long as the attributes of the header are properly configured.
However, HTTP/2, whilst not making encryption…
user96649
- 363
- 2
- 8
9
votes
1 answer
Does HTTP/2 prevent security vulnerabilites like CRLF injection?
Which vulnerabilites does HTTP/2 prevent?
More specifically:
Does it prevent HTTP request smuggling?
Does it prevent HTTP response splitting / CRLF injection?
Machine Yadav
- 153
- 7
9
votes
2 answers
Why doesn't the HTTP/2 spec require TLS?
Although no browser implements the full HTTP/2 spec right now limiting themselves to just the TLS part there are stories on the internet that this incomplete implementation of the spec is a way of resisting against the 'evil' lobbying of mobile…
David Mulder
- 1,349
- 1
- 8
- 16
7
votes
2 answers
Alternative to client certificate authentication with HTTP/2
We are currently busy improving an Android application with connects to an Azure App Service API using client certificates and bearer token for authentication over TLS 1.2.
We are investigating moving to HTTP/2 for bandwidth & performance…
Preben Huybrechts
- 173
- 4
6
votes
2 answers
What are the security benefits or risks of HTTP/2?
Since HTTP/2 is starting to get adopted by more and more sites everyday. Are there any security benefits or known risks regarding HTTP/2?
Bob Ortiz
- 6,234
- 8
- 43
- 90
4
votes
2 answers
How to MiTM HTTP/2 Traffic
I recently had to MiTM an HTTP/2 connection over TLS and realized there is no MiTM tool out there that fully supports HTTP/2 over TLS, and no articles/blog posts written about this topic. After struggling with this for a while, I decided to post my…
c0mpute
- 81
- 4
4
votes
1 answer
What security benefits does ALPN bring to TLS?
I've been recommending Application-Layer Protocol Negotiation (the successor to Next Protocol Negotiation) to people for a while, but recently realised that I actually don't have a concrete example of its security benefits, despite the feature being…
Polynomial
- 132,208
- 43
- 298
- 379
3
votes
2 answers
Understanding blacklisted ciphers for HTTP2
I've been working on get HTTP2 support running on an Nginx server for some time now. At this point I'm stuck at selecting ciphers to support. Hopefully you can help me understand this.
Before I started with getting HTTP2 to work, I made it a hobby…
Evy Bongers
- 131
- 1
- 3
2
votes
0 answers
What are NGINX reverseproxy users doing to prevent HTTP Request smuggling?
Since NGINX does not support sending HTTP/2 requests upstream, what are the present NGINX reverseproxy users doing to mitigate HTTP Request Smuggling vulnerability?
I understand that the best way to prevent HTTP Request Smuggling is by sending…
Sai Vishnu
- 21
- 1
2
votes
1 answer
Timeless timing attacks and response jitter
I've been researching timeless timing attacks, ie: timing attacks using concurrency rather than round trip time. Here is an article by portswigger with links to the original article by Van Goethem. Basically it says that if you pack two requests…
wade king
- 123
- 4
2
votes
3 answers
Why can't we use POST method for all requests?
It is known that sensitive information should not be transmitted in GET requests as GET requests will be cached and POST should be used.
Why can't we use POST method for all request and ignoring GET request?
What all difficulties/ barriers will be…
Jaka
- 152
- 1
- 1
- 8
2
votes
2 answers
Cipher suite selection for compatibility with http/2, and TLS 1.0-1.2
I have been attempting to configure my site to have http/2 support, but I kept having to remove cipher suites because of the blacklist. Eventually, I got the list whittled down sufficiently.
The problem, however, is that I only have a cipher suite…
Yet Another User
- 121
- 1
- 4
2
votes
1 answer
Are there strong technical reasons for browsers mandating TLS for http2?
I realise there are similar questions around this topic, however, I think this is sufficiently different/focused not to be a duplicate. I hope it doesn't sound like a soapbox piece.
HTTP/2 effectively mandates TLS, since there isn't a mainstream…
Phil Lello
- 1,122
- 10
- 15
1
vote
2 answers
CORS clarification
I need some clarifications about the problems that CORS (Cross-Origin Resource Sharing) can cause.
Let's suppose that site A.COM has enabled CORS, in particular:
Access-Control-Allow-Origin can be set to any website in the HTTP request and it is…
Edge7
- 130
- 11