{"id":2915,"date":"2016-08-12T14:53:37","date_gmt":"2016-08-12T14:53:37","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=2915"},"modified":"2016-08-12T14:57:04","modified_gmt":"2016-08-12T14:57:04","slug":"vulnerabilities-http2","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/vulnerabilities-http2\/","title":{"rendered":"Vulnerabilities in HTTP\/2 Provide Invaluable Insight"},"content":{"rendered":"<h2>Finding vulnerabilities in HTTP\/2 makes the new standard more secure.<\/h2>\n<p>HTTP is the foundation of the web. It\u2019s the technical protocol that facilitates communication between your web browser and the sites you visit. It\u2019s also nearly 20 years old\u2014that\u2019s ancient by internet standards.<\/p>\n<p>In May 2015, work was finalized on HTTP\/2, the first major upgrade to the protocol in over a decade. It brings with it huge advances in technology that will make the web faster, more efficient, and just plain better.<\/p>\n<p>Since HTTP\/2 was finalized last year, a lot of groundwork for implementing this new standard has been laid: All the major web browsers now support the protocol, as do most major web servers. Even CDNs and network appliances, commonly used with larger sites and networks, now support it.<\/p>\n<p>That means HTTP\/2 is ready for prime-time, right?<\/p>\n<p>Not quite.<\/p>\n<p>New research presented by Imperva, a cyber security company, has found a number of vulnerabilities in HTTP\/2 implementations that should give us pause. The research, conducted by Imperva\u2019s Defense Center, found four major vulnerabilities In the HTTP\/2 implementation of the most popular web servers, including Apache, Microsoft\u2019s IIS, and NGINX.<\/p>\n<p>Currently, HTTP\/2 is already in use amongst 18.5% of the Alexa Top Million websites<a href=\"#_ftn1\" name=\"_ftnref1\">[1]<\/a>. But there is a long way between early technology adopters like Google and Facebook and deployment across the entire web.<\/p>\n<p>Frankly, there is a reason that the entire web does not immediately implement a new technology as soon as it becomes available \u2013 problems are expected.<\/p>\n<p>Implementing new protocols means making new mistakes (and making old mistakes in new ways), and the code has not had a chance to be properly battle-tested under real-world conditions. These factors mean new software likely contains at least a few vulnerabilities.<\/p>\n<h2>The Curious Process of Implementing Standards<\/h2>\n<p>It took over three years and 17 drafts to finalize the HTTP\/2 specification, so why are we already finding problems with it?<\/p>\n<p>Because even a bullet-proof standard is only as good as the implementations of it.<\/p>\n<p>Internet standards are only guidelines and rules on how things should be done \u2013 not actual code that can do them. From a technical standpoint, it would be almost impossible for internet standards to provide actual working code, due to the number of programming languages out there, not to mention how that code would integrate into existing systems and the legal implications of distribution.<\/p>\n<p>This means successful implementation of new technologies, like HTTP\/2, are contingent on developers understanding the standard. The HTTP\/2 specification is nearly 100 pages long \u2013 and those are dense pages \u2013 so it\u2019s not surprising that mistakes happen.<\/p>\n<p>Now think about the fact that hundreds (maybe even thousands) of developers around the world are all individually working on the implementations for their software. All it takes is for one major product to get something wrong and suddenly millions of users at risk.<\/p>\n<p>Due to the complexity of the web, \u201cvendors alone cannot make a new protocol secure, it takes the full strength of the security industry to harden the extended attack surface\u201d<a href=\"#_ftn2\" name=\"_ftnref2\">[2]<\/a> The push and pull of new capabilities, and from those, new vulnerabilities, is part of the natural evolution of technologies. When we hear about vulnerabilities, our immediate reaction is that something must be wrong. But in reality, the discovery of these problems is evidence that the web ecosystem is working \u2013 that vendors aren\u2019t releasing software and products without independent review, that new standards are constantly studied, critiqued, and improved.<\/p>\n<h2>Vulnerabilities in HTTP\/2 and new technology<\/h2>\n<p>\u201cNew technology brings new risk,&#8221; Imperva stated in its official report. &#8220;As with any new technology, HTTP\/2 suffers from creating new extended attack surfaces for attackers to target.\u201d<\/p>\n<p>Despite the fact that HTTP\/2 is an improvement, it still isn\u2019t perfect. Imperva found four server-side vulnerabilities in HTTP\/2 implementations of major web server software.\u00a0 These vulnerabilities impacted some of the core improvements of HTTP\/2 including multiplexing and HPACK.<\/p>\n<p>These vulnerabilities were found so early on because they were the most obvious. In fact, the HTTP\/2 standard specifically warned about the potential for improper implementation \u2013 which told Imperva\u2019s team exactly where to start looking.<\/p>\n<p>All four of these vulnerabilities overwhelm the target servers in different ways. This can considerably slow a website\u2019s performance, or entirely bring it offline. However, the vulnerabilities cannot compromise data stored on the server.<\/p>\n<p>The <em>Slow Read <\/em>vulnerability sends requests to the server which it can\u2019t resolve, causing them to stay open and make resources unavailable for other visitors. The three other attacks, which don\u2019t have formal names, cause similar unresponsiveness \u2013 and can be used to <a href=\"https:\/\/www.thesslstore.com\/blog\/everything-you-ever-wanted-to-know-about-dosddos-attacks\/\">DDoS a server<\/a> or fill a server\u2019s available memory, causing it to crash.<\/p>\n<p>But, luckily we have no reason to worry \u2013 Imperva worked with vendors and the affected software is already patched. These vulnerabilities pose no threat to the internet \u2013 and their significance is in their insight to the adoption of technology, not their capacity to do harm.<\/p>\n<h2>There\u2019s (Usually) Nothing to Fear<\/h2>\n<p>Don\u2019t be scared next time you hear about a vulnerability. It is true \u2013 many vulnerabilities have the capacity to cause real damage, and malicious computer attacks cost the global economy billions of dollars a year. However tons of vulnerabilities get patched through responsible disclosure before the public even hears about it, and others, while technically dangerous have never been documented in use.<\/p>\n<p>But every vulnerability, the truly harmful and the harmless, show us that the technology community is working well.<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"#_ftnref1\" name=\"_ftn1\">[1]<\/a> http:\/\/isthewebhttp2yet.com\/measurements\/adoption.html<\/p>\n<p><a href=\"#_ftnref2\" name=\"_ftn2\">[2]<\/a> Pg.2<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Finding vulnerabilities in HTTP\/2 makes the new standard more secure. HTTP is the foundation of the web. It\u2019s the technical protocol that facilitates communication between your web browser and the&#8230;<\/p>\n","protected":false},"author":2,"featured_media":2916,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[16],"tags":[175,146,176,174],"class_list":["post-2915","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hashing-out-cyber-security","tag-cybersecurity","tag-http2","tag-imperva","tag-vulnerabilities","post-with-tags"],"views":5908,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2016\/08\/iStock_91727029_SMALL.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/2915","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=2915"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/2915\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/2916"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=2915"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=2915"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=2915"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}