Home » Topics » Cybersecurity » HTTP/2 more at risk to cyber attacks?

HTTP/2 more at risk to cyber attacks?

by David Lewis

HTTP/2 is a new version and a major revision of the HTTP protocol that serves as one of the main building blocks of the Worldwide Web.

The methods, status codes and overall protocol of HTTP will remain within HTTP/2.

The change, the shift from HTTP to HTTP/2, will center on performance, notably network and server resource usage.

Basically it will be faster. A main goal is to allow the use of a single connection from browsers to a Web site.

But faster does not mean safer, and in this case HTTP/2 has been found to be vulnerable to four high profile attack vectors.

>See also: Top 10 most devastating cyber hacks of 2015

Imperva Defense Center – IDC – identified these four high profile vulnerabilities.

These findings will be released in a report – Hacker Intelligence Initiative (HII) Report: “Hacking HTTP/2 – New Attacks on the Internet’s Next-generation Foundation” – tomorrow.

The four high profile attack vendors identified are:

Slow Read – The attack calls on a malicious client to read responses very slowly and is strikingly identical to the well-known Slowloris DDoS attack experienced by major credit card processors in 2010.

HPACK Bomb – This compression-layer attack resembles a zip bomb attack where the attacker crafts small and seemingly innocent messages, which turn into gigs of data on the server-side, consuming all its memory resources and making it unavailable.

Dependency Cycle Attack – The attack takes advantage of the flow control mechanisms that HTTP/2 introduced for network optimization. The malicious client crafts requests that induce a dependency cycle, which forces the server into an infinite loop when trying to process these dependencies.

Stream Multiplexing Abuse – The attacker uses flaws in the way servers implement the stream multiplexing functionality to crash the server which ultimately results in a denial of service to legitimate users.

>See also: 36% of businesses have no response plan for cyber attacks

There is no doubt cyber attacks are on the rise, with a very real threat to who businesses, who must adapt.

With this new internet framework – HTTP/2 – new, unpredictable types of cyber attack will reveal themselves.

Related Topics

Data Breach
Malware

Related Stories

Cybersecurity

How AI will shift the security landscape in 2024

The impact of AI within cybersecurity is expected to grow significantly this year, says Alex Holland, senior malware analyst at HP

AI & Machine Learning

NCSC releases guidelines for secure AI development

New guidance from the National Cyber Security Centre (NCSC) aims to help businesses securely innovate with AI and minimise risks

Cybersecurity

3 cybersecurity compliance challenges and how to address them

Earning those trust seals can strengthen relationships with board members and prospective customers, but it sure isn’t easy.

Cybersecurity

70% of UK firms reported cyber insurance changes in past year

According to research from Databarracks, seven in 10 UK businesses have seen changes to their cyber insurance in the past 12 months, as requirements rise