5. HTTP Evolution
• Started by Sir Tim Berners-Lee in 1989.
• Originally designed for transferring HyperText
(HTML).
• The intention was to create links between pages;
The “Web”.
6. HTTP/0.9
• Never an official version.
• No RFC.
• Specification is only a couple of pages.
• Clients requests an HyperText document, Server delivers.
• Client creates connection.
• Client sends GET request.
• Server sends HTML document.
• Server terminates connection marking end of message.
• Requests are idempotent.
7. HTTP/1.0
• RFC 1945 - May 1996.
• HTTP became a true messaging protocol.
• Defined request and response headers.
• Added methods:
• HEAD
• POST
• Added support for other media formats (MIME
Types).
• Basic Authentication.
8. HTTP/1.1
RFC 2068 in 1997 (obsoleted by RFC 2616 in 1999)
• Added more methods
• OPTIONS
• PUT
• DELETE
• TRACE
• CONNECT
• More status codes
• Reusable connection.
• Virtual Hosts.
• Bandwidth Management.
• Caching.
• Response streaming.
10. Why new HTTP?
• Inadequate use of TCP
• Not enough data in
request/responses.
• One transaction per round-trip.
• Head of line blocking
• Some requests may take longer
than others.
• Pipelining issues
• Few connections per host.
• Bloated HTTP headers
• Extremely large cookies
• Headers are not compressed.
Host: cat.hk.as.criteo.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0)
Gecko/20100101 Firefox/49.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer:
https://cas.criteo.com/delivery/afr.php?ptv=9&abp=1&zoneid=38
8248&cb=84495440049&nodis=1&charset=UTF-
8&dc=3&atfr=0&loc=https%3A%2F%2Fvanwilgenburg.wordpress.c
om%2F2015%2F11%2F22%2Fhow-to-capture-and-decode-http2-
traffic-with-wireshark%2F
Cookie:
eid=*1Ap7Pr2f7E5MRKE2nWevBcU%2bbUWL%2fuELr2TfCeknIxMr
e7BHXU6sl2NOQ4xTQMmmcE%2fpP%2f%2bjxgjT58Z7cfzeaEgdxXS
V8Qz7wMC5KYLeuAsFgza%2bISy%2bAQqOYhm%2bmQaI%2bshaK
0wLrQIDUhYtySDPYgiYB0g7Ncyx%2fbWiN%2fcVQc%2bwBbEN5EV
wYHNxqGp16wuoMx%2fBeDaihRV5HTFWsxXUImZAj5bXhai5mB0
9GzaWh%2brUlJ4Nd7hQdTpiZwm3faLd2YHKH1z9ApJQo%2bwpae
Z0Us6%2ffjHcleA6Qit5aTkR1HVNbtGU1kaSQarbWS5GGv0k5wp0lk
udhKVcSSp4VZQQPoF%2b1R1RM%2bObYZ%2fx71VmxY2iBV9wQLR
K7byMp%2fuPDnog7;
udc=*1LbahqkXZ3D4c7uvf%2fuPM6w%3d%3d;
zdi=*1b4U4KpFuuqNUwsFewyLzxQ%3d%3d; uid=c0789c78-f944-
4ff1-a605-515e662a5088;
__gads=ID=31ee0d4ce58ad5f9:T=1475937455:S=ALNI_MYSo0crw
SD7kqO6l4QkHSG463W3Fw
Connection: keep-alive
12. Solving the Latency problem
•Spriting
• Partial images.
•Inlining
• data URI.
•Concatenation
• One big file.
•Sharding
• Multiple Virtual Hosts
• Cache-invalidation
issues.
• More data transferred
than actually required.
• Development mess.
• Browsers need to wait
more.
• Server administration
issues
13. HTTP/2 - Overview
• RFC 7540 published on 15th May 2015.
• RFC7541 defines HPACK.
• Based on SPDY/3.x by Google.
• Retains HTTP/1.x semantics.
• Retains http:// and https:// URL formats.
• Still using TCP.
• No more minor versions.
• Next is HTTP/3
• Reduces optional parts of HTTP.
14. HTTP/2 - Features
• Binary framing.
• Stream multiplexing.
• Priorities and Dependencies.
• Header compression.
• Server push.
• Flow control.
• Protocol upgrade.
15. HTTP/2 – Binary framing
• Total frame header (9 bytes)
• Length (3 bytes)
• 3 bytes (24 bits) unsigned int value
• Can be changed by sending SETTING_MAX_FRAME_SIZE
• Does not include header length.
• Type (1 byte)
• Frame type
• Flags (1 byte)
• Specific to frame type.
• Stream ID (4 bytes)
• Reserved (1 bit)
• ID (31 bits)
• Payload (<length> bytes)
16. HTTP/2 – Stream Multiplexing
• One packet may contain many STREAM (Multiplexed)
• STREAM can be split over multiple packets/frames
• CONTINUE frame
• STREAM has multiple frames
• HEADERS Frame
• DATA Frame
• Frame Types:
• PRIORITY
• RST_STREAM
• SETTINGS
• PUSH_PROMISE
• PING
• GO_AWAY
• WINDOW_UPDATE
17. HTTP/2 – Priorities & Dependencies
• Response may not be served in order of requests.
• Creates a dependency tree and assign weight.
• Prioritize streams based on weight.
18. HTTP/2 – Header Compression
• HPACK (RFC 7541)
• Pseudo-headers
• Uses 2 tables to map headers to
indexes and preserve ordering
• Static Table
• Used to index fixed list of standard
headers.
• Dynamic Table
• Used to index custom/non-standard
headers
• Strings and Integer values are
represented differently to save
space.
• Can use Huffman coding for
encoding actual values.
:method: GET
:scheme: http
:path: /
:authority: www.example.com
Byte Decoding Value
82 == Indexed - Add ==
idx = 2
:method: GET
86 == Indexed - Add ==
idx = 6
:scheme: http
84 == Indexed - Add ==
idx = 4
:path: /
41 == Literal indexed ==
Indexed name
(idx = 1)
:authority
0f Literal value (len = 15) 15
7777 772e 6578 616d 706c 652e 636f 6d www.example.com
8286 8441 0f77 7777 2e65 7861 6d70 6c65
19. HTTP/2 – Server Push
• Server sends data even before client requests.
• Client holds extra data in cache.
• Server sends a PUSH_PROMISE frame identifying pushed stream
• HEADERS frame of pushed stream is not like usual response
headers.
• Contains :path of pushed stream DATA.
• Client can reject pushed data.
• RST_STREAM.
20. HTTP/2 – Protocol Upgrade
• NPN (Next Protocol Negotiation)
• Designed for SPDY.
• Server’s offer, Client’s choice.
• Over TLS only.
• ALPN (Application Layer Protocol
Negotiation)
• HTTP/2 official.
• Client’s offer, Server’s choice.
• Part of TLS handshake.
• Upgrade header (Upgrade: h2c)
• To be used on un-encrypted HTTP.
• Requires 1 extra roundtrip.
21. HTTP/2 - Security
• Promoted TLS
• Minimum TLS version 1.2.
• Blacklisted Cipher-Suites.
• Minimum key-size requirement.
• No TLS renegotiation.
• Cross-protocol attacks
• TLS+ALPN.
• Not much in plain text.
• Intermediary Encapsulation Attacks
• Invalid header name/values should result in invalid request.
• Context aware compressi0n.
• BREACH/CRIME
• Frame Padding
• BREACH/CRIME
22. HTTP/2 – Security/2
• Huge rework for WAFs
• HTTP/2 is binary.
• Can use a proxy to translate to HTTP/1.1 traffic.
• Opportunistic encryption
• Alt-Svc header.
• Connection Reuse
• Action correlation.
• Caching of server push
• Limits on HEADERS block size
• Denial of Service
• Slow Read (CVE-2016-1546)
• HPACK Bomb (CVE-2016-1544, CVE-2016-2525)
• Dependency Cycle Attack (CVE-2015-8659)
• Stream Multiplexing Abuse (CVE-2016-0150)
23. The Future : QUIC
• Quick UDP Internet Connections
• TCP + TLS + HTTP/2 over UDP
• Long term enhancements to TCP
• No more 3 way handshake.
• Reduced Round Trip.
• Connection Migration.
• Proactive speculative retransmission.
• Automatic fallback to TCP.
24. You have a
question!?
All images are found via Google search. They belong to their respective owners.
Notas del editor
It less about security because we don’t know much about HTTP/2.
I have not played any of them.
HTTP/0.9 was not official version, only documented.
Gopher came along the same time. Used to present information in catalogs (mostly recipes)
First draft in 1989.
Used for Human-Machine interaction as well as machine-to-machine interaction.
Not everything we call web uses HTTP. Like DBs, Peripheral devices, Network management etc.
Which protocol at Transport Later?
Extremely simple.
Which header is used to declare media type?
https://www.w3.org/Protocols/HTTP/1.0/spec.html
Method definitions?
CONNECT is generally used by TLS to connect through proxies.
CORS?
Cache-control:
Transfer-encoding: chunked
Response is only 43 bytes.
Request length is 1096 bytes
Half of that is cookies only.
DEMO2 : FF timing tool.
5 Mbps seems optimal.
Latency is more in mobile networks.
Spriting: Download large image, cut into pieces. E.g. national flags.
Inlining: critical CSS/JS in HTML
Concatenation: Append multiple CSS and JS into one file
Sharding: Using multiple host names to parallelize TCP connections
Speed is primary concern.
Note more text framing.
Length is only payload length
https://raw.githubusercontent.com/bagder/http2-explained/master/images/frame-layout.png
Handles TCP misuse
Less handshakes
Bandwidth optimization
http://www.slideshare.net/adrianfcole/http2-whats-inside-and-why
Solves the problem of Ahead Of Line Blocking.
https://nghttp2.org/blog/2014/04/27/how-dependency-based-prioritization-works/
http://www.slideshare.net/adrianfcole/http2-whats-inside-and-why
Will take a few hours to explain HPACK
DEMO3: Wireshark HTTP/2
RST_STREAM frame terminates sending data related to stream from either side
How to start talking HTTP/2?
NPN is not standard but supported by most implementation because it existed before ALPN
http://image.slidesharecdn.com/0wx7wvsyssixorne6oi4-signature-3e4156dfa5ca73d9c41ffa9d4c46761ec7b02523c13cc2ad1873addb96cbf495-poli-141013224659-conversion-gate01/95/googles-ilya-grigorik-on-http-20-39-638.jpg?cb=1413240588
https://www.linuxbabe.com/nginx/difference-between-npn-and-alpn-plus-how-to-enable-alpn-on-your-site
SNI name is not exactly as DNS name.
Endpoints MAY treat negotiation of key sizes smaller than the lower limits as a connection error (Section 5.4.1) of type INADEQUATE_SECURITY
2048 key size for ephemeral finite field Diffie-Hellman
224 bits for cipher suites that use ephemeral elliptic curve Diffie-Hellman (ECDHE)
Cross-protocol attacks : an attacker causes a client to initiate a transaction in one protocol toward a server that understands a different protocol. May lead to access to restricted resources.
Intermediary Encapsulation Attacks: HTTP Splitting
New problems
Opportunistic encryption: There is no was to indicate if Alt-svc endpoint is unencrypted.
Un-authenticated data in server push.
Same connection to Sub-Domains also. Request may be directed to wrong server by default.
Same header may encoded with different values based on order/context.
QUIC is developed by Google.
Connection Migration: uses 64bit id. Can use same ID over multiple interfaces.