http 2 infosec
play

HTTP/2 & InfoSec Anderson Dadario Topics HTTP Today Why - PowerPoint PPT Presentation

Feb 17, 2023 •151 likes •376 views

HTTP/2 & InfoSec Anderson Dadario Topics HTTP Today Why HTTP/2 How it works What is relevant to your InfoSec job 2 HTTP Today Using HTTP 1.1 since 1997 / 1999 Connection: keep-alive Head of Line

  1. HTTP/2 & InfoSec Anderson Dadario

  2. Topics ● HTTP Today ● Why HTTP/2 ● How it works ● What is relevant to your InfoSec job 2

  3. HTTP Today ● Using HTTP 1.1 since 1997 / 1999 ○ Connection: keep-alive ○ Head of Line Blocking ● But we still use N TCP Connections per origin ... ● And Many Hacks because requests are evil ○ CSS Spriting ○ Inlining ○ Concatenation ○ Domain Sharding ● No Header Compression 3

  4. So comes SPDY in 2009 ● With some cool stuff ○ Header Compression (vulnerable to CRIME) ■ Now cookieless domains are useless ○ Multiplexing ■ Now sharding is harmful (1 TCP connection per origin) ■ Has prioritization (e.g., focus on JS and CSS files) ○ Server Push ■ Although some pushes may be wasteful, there is “Server Hint” for SPDY, and RST_STREAM for HTTP/2 ○ HTTPS Only → there’s a gotcha here: do you wonder why? avoid intermediaries 4

  5. What about HTTP/2? ● Used SPDY 3 as its first draft ● Main Driven by Performance ● But also includes … ○ Security ○ Reliability 5

  6. Key Differences ● Binary instead of ASCII ● Header Compression (HPACK - RFC 7541) ● Fully multiplexed - Means: Parallelism and Out of Order Req/Res ○ Stream Prioritization ○ 1 TCP Connection > N Streams > N Frames ● Solves Head of Line Blocking ● Server Push what it thinks that the client will need (e.g., assets) 6

  7. HTTP/2 Units FRAME FRAME FRAME FRAME STREAM CONNECTION Streams have Connections have Frames have - IDENTIFIER - FLOW CONTROL - FLAGS, - STATE - TYPE, - PRIORITY - STREAM IDENTIFIER, - FLOW CONTROL - PAYLOAD and - LENGTH 7

  8. HTTP/2 Frame Types 1. DATA 6. PUSH_PROMISE 2. HEADERS 7. PING 3. PRIORITY 8. GOAWAY 4. RST_STREAM 9. WINDOW_UPDATE 5. SETTINGS 10. CONTINUATION a. SETTINGS_HEADER_TABLE_SIZE b. SETTINGS_ENABLE_PUSH c. SETTINGS_MAX_CONCURRENT_STREAMS d. SETTINGS_INITIAL_WINDOW_SIZE e. SETTINGS_MAX_FRAME_SIZE f. SETTINGS_MAX_HEADER_LIST_SIZE 8

  9. HTTP/2 GET 9

  10. HTTP/2 POST Request 10

  11. HTTP/2 POST Response 11

  12. Request Reliability 12

  13. Upgrade Request Anatomy When you don’t know if it supports HTTP/2 ● “h2c” means no TLS connection GET / HTTP/1.1 ● “h2” means TLS connection [TLS-ALPN] Host: server.example.com Connection: Upgrade, HTTP2-Settings Upgrade: h2c HTTP2-Settings: <base64url encoding of HTTP/2 SETTINGS payload> ● A server MUST NOT upgrade the [ Response ] connection to HTTP/2 if this header HTTP/1.1 101 Switching Protocols field is not present or if more than one Connection: Upgrade is present. Upgrade: h2c ● A server MUST NOT send this header field. Implicit acknowledgement of HTTP2-Settings 13

  14. InfoSec Overview 1-4 ● Increased Attack Surface ○ Supporting HTTP/1 and HTTP/2 ○ HTTP/2 extensions (e.g., new settings, frame type or error code) ○ Possibility to simulate bad implementations that results in DoS ■ e.g., reply RST_STREAM to a RST_STREAM frame. ● Non mature implementations == High probability to find Bugs ○ E.g., Yahoo fuzzing Apache HTTP/2 ● DAST Market ○ Force scanners to support HTTP/2 ○ Decrease scan time 14

  15. InfoSec Overview 2-4 ● Wireshark support (partially) ○ Support HPACK but missing continuation frame support... ● Frame Padding to obscure the size of messages ○ “Use of padding can result in less protection than might seem immediately obvious. At best, padding only makes it more difficult for an attacker to infer length information by increasing the number of frames an attacker has to observe.” RFC 7540 ● TLS Cipher Blacklist (MAY trigger INADEQUATE_SECURITY ERR) ● TLS 1.2 or higher w/ SNI support is a MUST ● TLS MUST disable compression and renegotiation 15

  16. InfoSec Overview 3-4 ● TLS Implementations MUST support ephemeral key exchange sizes of at least 2048 bits for cipher suites that use ephemeral finite field Diffie-Hellman (DHE) [TLS12] and 224 bits for cipher suites that use ephemeral elliptic curve Diffie-Hellman (ECDHE) [RFC4492]. Clients MUST accept DHE sizes of up to 4096 bits. ● Opportunistic Security for HTTP (...) ○ “(...) serve http URIs over TLS For pentesting: ● it is possible for server configurations to without being required to change; ● for configurations to differ between support strong server instances in clustered servers, or authentication. (...)” ● for network conditions to change. 16

  17. InfoSec Overview 4-4 ● (...) Opportunistic Security for HTTP (Opportunistic Encryption) ○ No padlock symbol ○ Won’t verify X.509 certificate: “(...) The server certificate, if one is proffered by the alternative service, is not necessarily checked for validity, expiration, issuance by a trusted certificate authority or matched against the name in the URI. (...)” ○ Left out from HTTP/2 RFC ○ Polemic: does it prevents HTTPS adoption or help HTTP? ● ALMOST mandatory HTTPS as Google and Firefox said that their browsers will only allows HTTP/2 for HTTPS connections ● Many open TCP connections (persistent connections) 17

  18. HTTP/2 Adoption Rate ● Browsers: Chrome and Firefox latest versions support already ● Servers: Apache (mod_h2), jetty, Apache Traffic Server ● Services: Google, Twitter ● Proxy: Squid ● CDN ○ Akamai said in the end of the year and ○ CloudFlare when ‘nginx supports HTTP/2’ 18

  19. References 1-2 1. HTTP/2 - RFC 7540 - http://www.rfc-editor.org/rfc/rfc7540.txt 2. HPACK - RFC 7541 - http://www.rfc-editor.org/rfc/rfc7541.txt 3. ALPN - RFC 7301 - https://tools.ietf.org/html/rfc7301 4. HTTP/2 Home - https://http2.github.io/ 5. Daniel’s Blog - http://daniel.haxx.se/blog/ 6. SPDY & HTTP 2 with Akamai CTO Guy Podjarny https://www. youtube.com/watch?v=WkLBrHW4NhQ 7. An overview of HTTP/2 with Daniel Sommermann https://www. youtube.com/watch?v=-yxQIRl6Qic 8. HTTP/2 (Mark Nottingham) https://www.youtube.com/watch? v=OQ158bJPvx4 19

  20. References 2-2 9. Pervasive Monitoring - RFC 7258 - http://www.rfc-editor. org/info/rfc7258 10. Opportunistic Security for HTTP - http://httpwg.github.io/http- extensions/encryption.html 11. HTTP/2 Book - http://daniel.haxx.se/http2/ 12. TLS in HTTP/2 - http://daniel.haxx.se/blog/2015/03/06/tls-in-http2/ 13. HTTP BIS mailing list 20

  21. QUIC: UDP- based transport protocol for the modern Internet Today, roughly half of all requests from Chrome to Google servers are served over QUIC Thanks! Anderson Dadario anderson@gauntlet.io | Twitter: @andersonmvd http://Gauntlet.io

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Storytelli Storytelling ng in in Infosec Infosec (Draft aft of) a Pr Practical ctical Guide

Storytelli Storytelling ng in in Infosec Infosec (Draft aft of) a Pr Practical ctical Guide

Dr. med. Christina Czeschik www.serapion.de Storytelli Storytelling ng in in Infosec Infosec (Draft aft of) a Pr Practical ctical Guide ide BalCCon 2k17 Sept 16, 2017, Novi Sad How to Make Users Behave Safely? Explain things to them?

566 views • 52 slides
InfoSec Training and Awareness Program Training &amp; Employee InfoSec Yearly In-person

InfoSec Training and Awareness Program Training &amp; Employee InfoSec Yearly In-person

InfoSec Training and Awareness Program Training &amp; Employee InfoSec Yearly In-person Whitepapers, InfoSec Spear Awareness Comms Intranet Site Security Security Brochures E-mailbox Phishing Awareness Awareness Exercises

389 views • 36 slides
InfoSec Ninjas Croissants Intrusion Detection and Prevention System (IDPS) InfoSec Ninjas Who

InfoSec Ninjas Croissants Intrusion Detection and Prevention System (IDPS) InfoSec Ninjas Who

InfoSec Ninjas Croissants Intrusion Detection and Prevention System (IDPS) InfoSec Ninjas Who am I? Samiux is an Information Security Enthusiast. - OSCE, OSCP, OSWP - Blogger - Linux user Hobbies : - Programming - Reading

261 views • 12 slides
Flex your Flex your InfoSec InfoSec muscles! muscles! Zuzana Bitterova Zuzana Bitterova

Flex your Flex your InfoSec InfoSec muscles! muscles! Zuzana Bitterova Zuzana Bitterova

Flex your Flex your InfoSec InfoSec muscles! muscles! Zuzana Bitterova Zuzana Bitterova This presentation is about Passion This presentation is NOT about Embracing change how to become an expert in the information security area

975 views • 49 slides
So basically same as a lot of us here: Wants to do cool InfoSec stuff, Wants to Stay out of Jail

So basically same as a lot of us here: Wants to do cool InfoSec stuff, Wants to Stay out of Jail

Changing Legal Landscape for Infosec Who I am: Elissa Shevinsky CEO of Jekudo Privacy Company @ElissaBeth and @Jekudo_Cat on Twitter Writer/Journalist Cautious Security Researcher So basically same as a lot of us here: Wants to do cool

472 views • 17 slides
Statewide IT, InfoSec and Privacy Update S eptember 2019 Re c e nt Suc c e sse s o f Sha re d

Statewide IT, InfoSec and Privacy Update S eptember 2019 Re c e nt Suc c e sse s o f Sha re d

Statewide IT, InfoSec and Privacy Update S eptember 2019 Re c e nt Suc c e sse s o f Sha re d Se rvic e s $71,000 pe r ye ar for age nc ie s as we ll as $1.2 million in c ost avoide d by not ope r ating the DT O Pr int and Mail fac

327 views • 13 slides
Fig Leaf Security @haroonmeer - 2011 #disclaimer Who am i ? &amp; Why this talk? A

Fig Leaf Security @haroonmeer - 2011 #disclaimer Who am i ? &amp; Why this talk? A

Fig Leaf Security @haroonmeer - 2011 #disclaimer Who am i ? &amp; Why this talk? A chance to meet our heroes! like Simple Nomad! thegnome: we expected thegnome: we got beard this is my rant.. The infosec industry ZA infosec

1.09k views • 64 slides
InfoSec 101 Introduction to Information Security for (non-IT) Professionals Fabian Lischka,

InfoSec 101 Introduction to Information Security for (non-IT) Professionals Fabian Lischka,

InfoSec 101 Introduction to Information Security for (non-IT) Professionals Fabian Lischka, Larry Salibra, Leonhard Weese FCC, Hong Kong, 2015-02-26 V0.97 from 2015-03-12 Content I n t r o d u c t i o n D i s c l a i m e r s

421 views • 30 slides
Cheapskate! Free and Excellent Infosec Career Resources Nathan Chan, CISSP C|EH 2019 Oct 11 1

Cheapskate! Free and Excellent Infosec Career Resources Nathan Chan, CISSP C|EH 2019 Oct 11 1

Cheapskate! Free and Excellent Infosec Career Resources Nathan Chan, CISSP C|EH 2019 Oct 11 1 / 48 Who Am I Three careers Flight Simulation both trainers and engineering Software Tester Security Worked in defense,

777 views • 48 slides
SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec

SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec

SirepRAT Windows IoT Core Abusing a Windows service for RCE About Me 7+ years in InfoSec Security Researcher @Safebreach Presented at DEFCON, DEEPSEC, Hackfest @bemikre Contents 1. Windows IoT Core 2. Live SirepRAT

967 views • 74 slides
INFOSEC: TOdayS INvISIblE baTTlESpaCE CapT JErad SaylEr, USaF Chief of Offensive Cyber

INFOSEC: TOdayS INvISIblE baTTlESpaCE CapT JErad SaylEr, USaF Chief of Offensive Cyber

INFOSEC: TOdayS INvISIblE baTTlESpaCE CapT JErad SaylEr, USaF Chief of Offensive Cyber Operations Work at HQ Air Force Space Command Grew up in Beulah, ND Commissioned 2009 from UND ROTC program Computer Science Degree from

645 views • 18 slides
Reversing P25 Radio Scanners Let's beat a dead horse. Super Quick Presentation Founder of

Reversing P25 Radio Scanners Let's beat a dead horse. Super Quick Presentation Founder of

Reversing P25 Radio Scanners Let's beat a dead horse. Super Quick Presentation Founder of an obscurely named infosec company (see footer) founded at the end of 2011 infosec dev, pentests president, lead coder, chief janitor

405 views • 37 slides
A Recareering Framework @fuzzing_panda A Recareering Framework 1. Framework a. Recon b.

A Recareering Framework @fuzzing_panda A Recareering Framework 1. Framework a. Recon b.

A Recareering Framework @fuzzing_panda A Recareering Framework 1. Framework a. Recon b. Vulnerability Analysis c. Exploitation 2. Life Hack 3. A word to the wise history | grep -v infosec history | grep -v infosec How did I recareer into

697 views • 21 slides
Smart Grid IoT Security Kwaku Sarpong Manu About Me Computer Engineer Novice InfoSec researcher

Smart Grid IoT Security Kwaku Sarpong Manu About Me Computer Engineer Novice InfoSec researcher

Smart Grid IoT Security Kwaku Sarpong Manu About Me Computer Engineer Novice InfoSec researcher Signals Intelligence Cyanide and Happiness junkie Twitter: @_kwaku__ Electricity, Water and Gas What is Smart Grid IoT? Internet of things

764 views • 21 slides
iPanSec.com SOAPA Dashboard Smart InfoSec Automation Zero Trust Assurance Suite SOAPA

iPanSec.com SOAPA Dashboard Smart InfoSec Automation Zero Trust Assurance Suite SOAPA

iPanSec.com SOAPA Dashboard Smart InfoSec Automation Zero Trust Assurance Suite SOAPA Dashboard Integrated with Network Layer (PacketX , UPAS) Field WiFi /BLE /ZigBee Layer (ArcRan iSecMaster) Endpoint Layer (Comodo)

549 views • 13 slides
. IoT or Internet of {Things,Threats} Thomas (@nyx__o) Malware Researcher at ESET CTF lover

. IoT or Internet of {Things,Threats} Thomas (@nyx__o) Malware Researcher at ESET CTF lover

. IoT or Internet of {Things,Threats} Thomas (@nyx__o) Malware Researcher at ESET CTF lover Open source contributor Olivier (@obilodeau) Malware Researcher at ESET Infosec lecturer at ETS University in Montreal Previously infosec

1.25k views • 104 slides
File Uploads HTML Forms - POST Specify multipart encoding to receive each input separately in

File Uploads HTML Forms - POST Specify multipart encoding to receive each input separately in

File Uploads HTML Forms - POST Specify multipart encoding to receive each input separately in the body &lt; form action=&quot;/form-path&quot; method=&quot;post&quot; enctype=&quot;multipart/form-data&quot; &gt; &lt; label

554 views • 16 slides
Time Matters Week 7 Week 6 Prototyping + Needfinding Week 7 Week 8 Implementation Week 9

Time Matters Week 7 Week 6 Prototyping + Needfinding Week 7 Week 8 Implementation Week 9

Time Matters Week 7 Week 6 Prototyping + Needfinding Week 7 Week 8 Implementation Week 9 Week 10 User Testing + Debugging + Final Prep User Experience http://cogs121.ucsd.edu/schedule/ UX: Interaction Cost Interaction cost: any

415 views • 18 slides
Software-Defined Fabrics for IoT at Scale Alberto Leon-Garcia University of Toronto Scientific

Software-Defined Fabrics for IoT at Scale Alberto Leon-Garcia University of Toronto Scientific

Software-Defined Fabrics for IoT at Scale Alberto Leon-Garcia University of Toronto Scientific Director, NSERC SAVI Research Network alberto.leongarcia@utoronto.ca 1 2 Context The Challenge By 2050 Over 70% of world population will

346 views • 19 slides
Grid Computing: NetSolve and the GrADS Project GrADS Project

Grid Computing: NetSolve and the GrADS Project GrADS Project

Grid Computing: NetSolve and the Grid Computing: NetSolve and the GrADS Project GrADS Project

623 views • 60 slides
News from Git in Eclipse Matthias Sohn (SAP) merge strategy extension point enables

News from Git in Eclipse Matthias Sohn (SAP) merge strategy extension point enables

News from Git in Eclipse Matthias Sohn (SAP) merge strategy extension point enables external merge strategy used by EMF Compare to provide model merge (Neon) JGit 4.0, EGit 4.1 EMF Compare provides model merge strategy Computes

660 views • 41 slides
Introducing OpenPush A Free, Decentralized Push Messaging Framework for Android Marcus Hoffmann -

Introducing OpenPush A Free, Decentralized Push Messaging Framework for Android Marcus Hoffmann -

Introducing OpenPush A Free, Decentralized Push Messaging Framework for Android Marcus Hoffmann - bubu@bubu1.eu 1 / 31 About Me Hi, I'm Marcus! Free software developer from Berlin. Working on a free Android ecosystem. F-Droid core

358 views • 31 slides
Toward a Push-Scalable Global Internet IEEE Global Internet Symposium, IEEE Infocom 2011 Sachin

Toward a Push-Scalable Global Internet IEEE Global Internet Symposium, IEEE Infocom 2011 Sachin

Toward a Push-Scalable Global Internet IEEE Global Internet Symposium, IEEE Infocom 2011 Sachin Agarwal 1 ska@alum.bu.edu - Presented by Oliver Hohlfeld Deutsche Telekom A.G., Laboratories &amp; TU Berlin Ernst-Reuter-Platz 7 10409

319 views • 18 slides
Simple and Efficient Two-Server ORAM Dov Gordon (George Mason U.) Jonathan Katz (U. of Maryland)

Simple and Efficient Two-Server ORAM Dov Gordon (George Mason U.) Jonathan Katz (U. of Maryland)

Simple and Efficient Two-Server ORAM Dov Gordon (George Mason U.) Jonathan Katz (U. of Maryland) Xiao Wang (MIT &amp; Boston U.) What is ORAM Outsourced memory storage, allowing oblivious memory access (read and write). Any 2 sequences

393 views • 25 slides

More recommend