Overview
Explore the emerging HTTP/2 protocol and its vulnerabilities in this Black Hat conference talk. Delve into the rapid adoption of HTTP/2 by major internet players and its role as a transition layer for web traffic. Discover new attack vectors targeting HTTP/2's components, including the flow control mechanism and header compression. Learn about the low data rate attack and industry multiplexing attack through video demonstrations. Examine potential solutions, from abandoning HTTP/2 to implementing patches and virtual patching. Gain key insights and technical details to better understand the security implications of this next-generation internet foundation.
Syllabus
Introduction
Who am I
Credits
Agenda
Why HTTP2
HTTP1 Problems
Who Uses HTTP2
Components of HTTP
Frame
New Attacks
Research
Implementation
Flow Control Mechanism
Low Data Rate Attack
Video Demo
Industry Multiplexing
Attack Flow
Attack Flow Demo
Header Compression
HPack
Dynamic Table
Funny Story
What can we do
Option 1 Abandon HTTP2
Option 2 Patch
Option 3 Patch
Virtual Patching
Key takeaways
Technical details
Taught by
Black Hat