Http2 Security Perspective
-
Upload
sunil-kumar -
Category
Internet
-
view
73 -
download
0
Transcript of Http2 Security Perspective
![Page 1: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/1.jpg)
HTTP/2A Security Perspective
![Page 2: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/2.jpg)
Who am I?• Not a pen-tester <Not-yet/>• Threat Analysis Engineer• With NULL since 2009.• PC Gamer• https://github.com/sunilkr• @_badbot
![Page 3: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/3.jpg)
HTTP Trivia
•ISO-OSI Layer ?•Official versions till dates?•Rivaled by?•How old is HTTP?
![Page 4: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/4.jpg)
HTTP Trivia
•For most of us: HTTP WWW Internet.
![Page 5: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/5.jpg)
HTTP Evolution
• Started by Sir Tim Berners-Lee in 1989.•Originally designed for transferring HyperText (HTML).• The intention was to create links between pages; The “Web”.
![Page 6: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/6.jpg)
HTTP/0.9
• Never an official version.• No RFC.
• Specification is only a couple of pages.• Clients requests an HyperText document, Server
delivers.• Client creates connection.• Client sends GET request.• Server sends HTML document.• Server terminates connection marking end of
message.• Requests are idempotent.
![Page 7: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/7.jpg)
HTTP/1.0
• RFC 1945 - May 1996.•HTTP became a true messaging protocol.•Defined request and response headers.• Added methods:• HEAD• POST
• Added support for other media formats (MIME Types).• Basic Authentication.
![Page 8: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/8.jpg)
HTTP/1.1
RFC 2068 in 1997 (obsoleted by RFC 2616 in 1999)
• Added more methods• OPTIONS• PUT• DELETE• TRACE• CONNECT
•More status codes
• Reusable connection.• Virtual Hosts.• Bandwidth Management.• Caching.• Response streaming.
![Page 9: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/9.jpg)
HTTP/1.1
Hyper Text Transfer ProtocolGET /download.html
HTTP/1.1Host: www.ethereal.comUser-Agent: Mozilla/5.0Accept: text/html;q=0.9Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.ethereal.com/l
HTTP/1.1 200 OKDate: Thu, 13 May 2004 10:17:12 GMTServer: ApacheLast-Modified: Tue, 20 Apr 2004 13:17:00 GMTETag: "9a01a-4696-7e354b00"Accept-Ranges: bytesContent-Length: 18070Keep-Alive: timeout=15, max=100Connection: Keep-AliveContent-Type: text/html; charset=ISO-8859-1
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE html…………
![Page 10: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/10.jpg)
Why new HTTP?
• Inadequate use of TCP• Not enough data in
request/responses.• One transaction per round-
trip.• Head of line blocking• Some requests may take
longer than others.• Pipelining issues• Few connections per host.
• Bloated HTTP headers• Extremely large cookies• Headers are not compressed.
Host: cat.hk.as.criteo.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brReferer: https://cas.criteo.com/delivery/afr.php?ptv=9&abp=1&zoneid=388248&cb=84495440049&nodis=1&charset=UTF-8&dc=3&atfr=0&loc=https%3A%2F%2Fvanwilgenburg.wordpress.com%2F2015%2F11%2F22%2Fhow-to-capture-and-decode-http2-traffic-with-wireshark%2FCookie: eid=*1Ap7Pr2f7E5MRKE2nWevBcU%2bbUWL%2fuELr2TfCeknIxMre7BHXU6sl2NOQ4xTQMmmcE%2fpP%2f%2bjxgjT58Z7cfzeaEgdxXSV8Qz7wMC5KYLeuAsFgza%2bISy%2bAQqOYhm%2bmQaI%2bshaK0wLrQIDUhYtySDPYgiYB0g7Ncyx%2fbWiN%2fcVQc%2bwBbEN5EVwYHNxqGp16wuoMx%2fBeDaihRV5HTFWsxXUImZAj5bXhai5mB09GzaWh%2brUlJ4Nd7hQdTpiZwm3faLd2YHKH1z9ApJQo%2bwpaeZ0Us6%2ffjHcleA6Qit5aTkR1HVNbtGU1kaSQarbWS5GGv0k5wp0lkudhKVcSSp4VZQQPoF%2b1R1RM%2bObYZ%2fx71VmxY2iBV9wQLRK7byMp%2fuPDnog7; udc=*1LbahqkXZ3D4c7uvf%2fuPM6w%3d%3d; zdi=*1b4U4KpFuuqNUwsFewyLzxQ%3d%3d; uid=c0789c78-f944-4ff1-a605-515e662a5088; __gads=ID=31ee0d4ce58ad5f9:T=1475937455:S=ALNI_MYSo0crwSD7kqO6l4QkHSG463W3FwConnection: keep-alive
![Page 11: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/11.jpg)
The big problem of Latency
![Page 12: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/12.jpg)
Solving the Latency problem
•Spriting• Partial images.
• Inlining• data URI.
•Concatenation• One big file.
•Sharding• Multiple Virtual
Hosts
• Cache-invalidation issues.•More data transferred than actually required.•Development mess.• Browsers need to wait more.• Server administration issues
![Page 13: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/13.jpg)
HTTP/2 - Overview
• RFC 7540 published on 15th May 2015.• RFC7541 defines HPACK.
• Based on SPDY/3.x by Google.• Retains HTTP/1.x semantics.• Retains http:// and https:// URL formats.• Still using TCP.• No more minor versions.• Next is HTTP/3
• Reduces optional parts of HTTP.
![Page 14: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/14.jpg)
HTTP/2 - Features
•Binary framing.• Stream multiplexing.• Priorities and Dependencies.•Header compression.• Server push.• Flow control.• Protocol upgrade.
![Page 15: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/15.jpg)
HTTP/2 – Binary framing
• Total frame header (9 bytes)• Length (3 bytes)• 3 bytes (24 bits) unsigned int value• Can be changed by sending SETTING_MAX_FRAME_SIZE• Does not include header length.
• Type (1 byte)• Frame type
• Flags (1 byte)• Specific to frame type.
• Stream ID (4 bytes)• Reserved (1 bit)• ID (31 bits)
• Payload (<length> bytes)
![Page 16: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/16.jpg)
HTTP/2 – Stream Multiplexing
• One packet may contain many STREAM (Multiplexed)• STREAM can be split over multiple packets/frames• CONTINUE frame
• STREAM has multiple frames• HEADERS Frame• DATA Frame
• Frame Types:• PRIORITY• RST_STREAM• SETTINGS• PUSH_PROMISE• PING• GO_AWAY• WINDOW_UPDATE
![Page 17: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/17.jpg)
HTTP/2 – Priorities & Dependencies
• Response may not be served in order of requests.• Creates a dependency tree and assign weight.• Prioritize streams based on weight.
![Page 18: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/18.jpg)
HTTP/2 – Header Compression• HPACK (RFC 7541)• Pseudo-headers• Uses 2 tables to map headers to
indexes and preserve ordering• Static Table
• Used to index fixed list of standard headers.
• Dynamic Table• Used to index custom/non-
standard headers
• Strings and Integer values are represented differently to save space.
• Can use Huffman coding for encoding actual values.
:method: GET :scheme: http :path: / :authority: www.example.com
Byte Decoding Value82 == Indexed - Add
== idx = 2
:method: GET
86 == Indexed - Add ==
idx = 6
:scheme: http
84 == Indexed - Add ==
idx = 4
:path: /
41 == Literal indexed == Indexed name
(idx = 1)
:authority
0f Literal value (len = 15)
15
7777 772e 6578 616d 706c 652e 636f 6d
www.example.com
8286 8441 0f77 7777 2e65 7861 6d70 6c65
![Page 19: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/19.jpg)
HTTP/2 – Server Push
• Server sends data even before client requests.• Client holds extra data in cache.• Server sends a PUSH_PROMISE frame identifying pushed
stream• HEADERS frame of pushed stream is not like usual
response headers.• Contains :path of pushed stream DATA.
• Client can reject pushed data.• RST_STREAM.
![Page 20: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/20.jpg)
HTTP/2 – Protocol Upgrade• NPN (Next Protocol
Negotiation)• Designed for SPDY.• Server’s offer, Client’s choice. • Over TLS only.
• ALPN (Application Layer Protocol Negotiation)• HTTP/2 official.• Client’s offer, Server’s choice.• Part of TLS handshake.
• Upgrade header (Upgrade: h2c)• To be used on un-encrypted
HTTP.• Requires 1 extra roundtrip.
![Page 21: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/21.jpg)
HTTP/2 - Security• Promoted TLS
• Minimum TLS version 1.2.• Blacklisted Cipher-Suites.• Minimum key-size requirement. • No TLS renegotiation.
• Cross-protocol attacks• TLS+ALPN. • Not much in plain text.
• Intermediary Encapsulation Attacks• Invalid header name/values should result in invalid request.
• Context aware compressi0n.• BREACH/CRIME
• Frame Padding• BREACH/CRIME
![Page 22: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/22.jpg)
HTTP/2 – Security/2• Huge rework for WAFs
• HTTP/2 is binary.• Can use a proxy to translate to HTTP/1.1 traffic.
• Opportunistic encryption• Alt-Svc header.
• Connection Reuse• Action correlation.
• Caching of server push• Limits on HEADERS block size• Denial of Service
• Slow Read (CVE-2016-1546)• HPACK Bomb (CVE-2016-1544, CVE-2016-2525)• Dependency Cycle Attack (CVE-2015-8659)• Stream Multiplexing Abuse (CVE-2016-0150)
![Page 23: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/23.jpg)
The Future : QUIC
• Quick UDP Internet Connections• TCP + TLS + HTTP/2 over UDP• Long term enhancements to TCP
• No more 3 way handshake.• Reduced Round Trip.• Connection Migration.• Proactive speculative retransmission.• Automatic fallback to TCP.
![Page 24: Http2 Security Perspective](https://reader035.fdocuments.us/reader035/viewer/2022070516/587198c61a28ab044e8b53cb/html5/thumbnails/24.jpg)
You have a question!?
All images are found via Google search. They belong to their respective owners.