Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

HTTP/2 promises better performance -- but with security caveats

Maria Korolov | Dec. 19, 2016
No security problems have been found in the HTTP/2 protocol itself, it's worth waiting for everything to shake out

"In some cases, it is sufficient to just send a single request to crush the server," he said.

That means that attackers don't need an army of infected machines to act as relays or magnifying relays.

"You can mount an attack with a single laptop," he said.

And even though the vulnerabilities have all been fixed, it doesn't mean that all the Web servers have installed the patches.

"From what we know about the history of web servers, many servers are probably still unpatched," he said. "Patching has a cost. Owners have to know that there is a problem, they have to be notified, they have to get the patched version, evaluate the impact on their servers, so not all of them are rushing to install the patches."

For companies that need to upgrade to HTTP/2 and run their own web servers and can't keep the patches up to date, he suggested using a web application firewall that protects against the new vulnerabilities as they are discovered.

Most of the major vendors, he said, offer this functionality, as does Imperva.

Adoption moving along at a decent pace

Although 11 percent might seem like a low adoption rate, the new protocol is actually doing well given that HTTP/2 only came out in early 2015.

All the major PC and mobile browsers now support it.

So do many top websites, even though high-traffic sites tend to be operated by large, inertia-driven organizations, said Stephen Ludin, chief architect for Web experience engineering at Akamai Technologies.

"Some very large sites, like Google and Twitter, are all using HTTP/2," he said.

The main driver for upgrading is performance, he added.

"We have seen performance range from zero percent improvement to 30, 40 even 50 percent," he said. "The average is around 10 percent or so."

He also recommended that companies take their time before upgrading to HTTP/2.

"There's no need to flip the switch and one day switch over to HTTP/2," he said. "Do some A/B testing. Take your time."

Web site developers might want to work on architectural changes to take full advantage of HTTP/2, he added.

Companies that use CDN services like Akamai's and Limelight's get a leg up, since the CDN takes care of all the implementation details.

"Our participation alone has had a dramatically positive effect on HTTP/2 adoption," said Ludin. "We are the front end for our customers, so they don't need to do anything on their own to support HTTP/2. It's just a matter of going to your Akamai configuration and flicking it on."

He added that Akamai has been involved since the very early days of HTTP/2.

"We had early implementations of it and were one of the first CDNs to have it out there in the wild," he said.


Previous Page  1  2  3 

Sign up for Computerworld eNewsletters.