HTTP/2 is a new version and a major revision of the HTTP protocol that serves as one of the main building blocks of the Worldwide Web.
The methods, status codes and overall protocol of HTTP will remain within HTTP/2.
The change, the shift from HTTP to HTTP/2, will center on performance, notably network and server resource usage.
Basically it will be faster. A main goal is to allow the use of a single connection from browsers to a Web site.
But faster does not mean safer, and in this case HTTP/2 has been found to be vulnerable to four high profile attack vectors.
>See also: Top 10 most devastating cyber hacks of 2015
Imperva Defense Center – IDC – identified these four high profile vulnerabilities.
These findings will be released in a report – Hacker Intelligence Initiative (HII) Report: “Hacking HTTP/2 – New Attacks on the Internet’s Next-generation Foundation” – tomorrow.
The four high profile attack vendors identified are:
Slow Read – The attack calls on a malicious client to read responses very slowly and is strikingly identical to the well-known Slowloris DDoS attack experienced by major credit card processors in 2010.
HPACK Bomb – This compression-layer attack resembles a zip bomb attack where the attacker crafts small and seemingly innocent messages, which turn into gigs of data on the server-side, consuming all its memory resources and making it unavailable.
Dependency Cycle Attack – The attack takes advantage of the flow control mechanisms that HTTP/2 introduced for network optimization. The malicious client crafts requests that induce a dependency cycle, which forces the server into an infinite loop when trying to process these dependencies.
Stream Multiplexing Abuse – The attacker uses flaws in the way servers implement the stream multiplexing functionality to crash the server which ultimately results in a denial of service to legitimate users.
There is no doubt cyber attacks are on the rise, with a very real threat to who businesses, who must adapt.
With this new internet framework – HTTP/2 – new, unpredictable types of cyber attack will reveal themselves.