Samstag, 1. August 2015

HTTP/2 revisited

As you may know, I published a simple blog post about "HTTP/2 PUSHing malicious content". This lead to some discussions and more investigation and even more questions.

Let me describe the whole stuff once again.
  1. There is this pretty and fancy new protocol. It replaces HTTP 1.1 and 1.0 and will be the next standard. Actually it is officially the version 2.0 of the HTTP standard. This new protocol is so new and fancy that my tools (I tried, Wireshark, Burp Suit and OWASP ZAP) are not able to tell me anything about the traffic. It is shown as TCP only. The whole communication between server and client is framed based and uses TLS. So instead of a nice text header like
    HTTP/1.x 200 OK
    Transfer-Encoding: chunked
    Date: Sat, 28 Nov 2009 04:36:25 GMT
    Server: LiteSpeed
    Connection: close
    X-Powered-By: W3 Total Cache/0.8
    You will see a frame. One or more binary packages holding this information.
    The body is just the same idea, it will be frame and binary based.Even the frames can be split. So the the server responses the way it makes sense and multiplexes the traffic.
     
  2. One new feature is SERVER PUSH. The idea is that the server can send you a file for your browser to cache it. Maybe you need it later. As an example, let say I have a website with a lot of animal pictures. Now I have one picture of a cat. The cat is adorable and I am pretty sure that everybody visiting my page will stop at that picture and take a look. Well, so now I am clever, I just push you the file directly at the beginning. Right from the start you have it. When you than klick on the picture your browser can show it instantly.  Thats a cool feature.

    So now you ask, what type of files can I push? Well, anything. I tried the EICAR test signature. Worked. Limitation, it worked with the nghttp2 tools.  For Firefox I do not know. Cause (1) I am not able to see the traffic.
  3. So, lets combine (1) and (2).  Worst scenario, I can push you whatever I want. Your Browser will accept any package and store it into the cache. Thats step one of many bad things which can happen. 
Now call me crazy or call me paranoid.
I believe that this is a thing worth talking about. I am open for discussion, just send me a mail or a message. My Google+ profile is linked on the right.