"Look at all the security devices that exist between clients and servers -- web gateways, intrusion prevention devices, firewalls and so on -- they are supposed to analyze web traffic, and determine if it's malicious or not," he said. "My concern is that they're not adapted yet to HTTP/2."
That means that enterprises might no longer be able to effectively scan HTTP/2 traffic, both inbound connections that might be delivering malware and outbound connections exfiltrating critical data.
Some vendors are already offering solutions that work around HTTPS and SSL encryption, he said. But the changes that come with HTTP/2 are on a more fundamental level.
"It allows multiplexed sessions, and sending files as content and resources, that are difficult for the security product to reassemble and run through an anti-virus engine," he said. "They will lose the thread of the session and not be aware of the content that is going through."
Solving this problem isn't going to be easy. Vendors will have to update their products to handle HTTP/2, and there are a lot of products out there.
"And even if it's introduced in some updated version, sometimes customers don't want to upgrade -- sometimes the upgrade cycles can take years," Guzner said. "It can become a big security hole and it's a big concern."
He recommends that enterprise run tests first to see whether they are able to inspect HTTP/2 traffic with their current systems, and, if not, they might want to wait.
"Maybe they don't want to allow HTTP/2 just yet," he said. "Most of the internet is not supporting HTTP/2 yet, and even the sites that are, will fall back to HTTP/1.1. You can disable HTTP/2 and still experience the internet -- maybe without some of the performance gain, but at least it will be secure."
HTTP/2 poses other risks to enterprises as well, beyond the issue of visibility into internet traffic. Several vulnerabilities have already been discovered, all related to distributed denial of service attacks. They include the Slow Read, the HPACK Bomb, the Dependency Cycle Attack, and the Stream Multiplexing Abuse vulnerability.
The company reported all the vulnerabilities to vendors, and they have all been fixed, said Itsik Mantin, the company's director of security research.
"The protocol itself, the way HTTP/2 is explained and specified in the standard, is OK," he said. "There is no problem there. The problem is in the implementations."
Imperva looked the major web servers, including Apache, IIS, Jetty, Nghttpd and Nginx, and found that each one was vulnerable to at least one attack.
Sign up for Computerworld eNewsletters.