Let me describe the whole stuff once again.
- There is this pretty and fancy new protocol. It replaces HTTP 1.1 and 1.0 and will be the next standard. Actually it is officially the version 2.0 of the HTTP standard. This new protocol is so new and fancy that my tools (I tried, Wireshark, Burp Suit and OWASP ZAP) are not able to tell me anything about the traffic. It is shown as TCP only. The whole communication between server and client is framed based and uses TLS. So instead of a nice text header like
HTTP/1.x 200 OK
Date: Sat, 28 Nov 2009 04:36:25 GMT
X-Powered-By: W3 Total Cache/0.8
The body is just the same idea, it will be frame and binary based.Even the frames can be split. So the the server responses the way it makes sense and multiplexes the traffic.
- One new feature is SERVER PUSH. The idea is that the server can send you a file for your browser to cache it. Maybe you need it later. As an example, let say I have a website with a lot of animal pictures. Now I have one picture of a cat. The cat is adorable and I am pretty sure that everybody visiting my page will stop at that picture and take a look. Well, so now I am clever, I just push you the file directly at the beginning. Right from the start you have it. When you than klick on the picture your browser can show it instantly. Thats a cool feature.
So now you ask, what type of files can I push? Well, anything. I tried the EICAR test signature. Worked. Limitation, it worked with the nghttp2 tools. For Firefox I do not know. Cause (1) I am not able to see the traffic.
- So, lets combine (1) and (2). Worst scenario, I can push you whatever I want. Your Browser will accept any package and store it into the cache. Thats step one of many bad things which can happen.
I believe that this is a thing worth talking about. I am open for discussion, just send me a mail or a message. My Google+ profile is linked on the right.