Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

HTTP/2 promises better performance -- but with security caveats

Maria Korolov | Dec. 19, 2016
No security problems have been found in the HTTP/2 protocol itself, it's worth waiting for everything to shake out

"Look at all the security devices that exist between clients and servers -- web gateways, intrusion prevention devices, firewalls and so on -- they are supposed to analyze web traffic, and determine if it's malicious or not," he said. "My concern is that they're not adapted yet to HTTP/2."

That means that enterprises might no longer be able to effectively scan HTTP/2 traffic, both inbound connections that might be delivering malware and outbound connections exfiltrating critical data.

Some vendors are already offering solutions that work around HTTPS and SSL encryption, he said. But the changes that come with HTTP/2 are on a more fundamental level.

"It allows multiplexed sessions, and sending files as content and resources, that are difficult for the security product to reassemble and run through an anti-virus engine," he said. "They will lose the thread of the session and not be aware of the content that is going through."

Solving this problem isn't going to be easy. Vendors will have to update their products to handle HTTP/2, and there are a lot of products out there.

"And even if it's introduced in some updated version, sometimes customers don't want to upgrade -- sometimes the upgrade cycles can take years," Guzner said. "It can become a big security hole and it's a big concern."

He recommends that enterprise run tests first to see whether they are able to inspect HTTP/2 traffic with their current systems, and, if not, they might want to wait.

"Maybe they don't want to allow HTTP/2 just yet," he said. "Most of the internet is not supporting HTTP/2 yet, and even the sites that are, will fall back to HTTP/1.1. You can disable HTTP/2 and still experience the internet -- maybe without some of the performance gain, but at least it will be secure."

New vulnerabilities

HTTP/2 poses other risks to enterprises as well, beyond the issue of visibility into internet traffic. Several vulnerabilities have already been discovered, all related to distributed denial of service attacks. They include the Slow Read, the HPACK Bomb, the Dependency Cycle Attack, and the Stream Multiplexing Abuse vulnerability.

Security firm Imperva presented a report about HTTP/2 security vulnerabilities at Black Hat this summer.

The company reported all the vulnerabilities to vendors, and they have all been fixed, said Itsik Mantin, the company's director of security research.

"The protocol itself, the way HTTP/2 is explained and specified in the standard, is OK," he said. "There is no problem there. The problem is in the implementations."

Imperva looked the major web servers, including Apache, IIS, Jetty, Nghttpd and Nginx, and found that each one was vulnerable to at least one attack.


Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.