HTTP/2 in Examples
Download as PPTX, PDF11 likes21,373 views
The document discusses HTTP/2, highlighting its advantages over HTTP/1.1, such as reduced connection overhead and improved resource loading via streams and frames. It explains how to identify HTTP/2-enabled sites, tools for analyzing HTTP/2 traffic, and setup instructions for using HTTP/2 in various applications and servers. Additionally, it addresses the implementation of HTTP/2 over TLS and the importance of secure cipher suites.
HTTP/2 in Examples
- 2. Agenda • Who am I? • What is the problem? • HTTP/2 • Enabled websites • Analyzing HTTP/2 • How do we know a site is using HTTP/2 • Chrome internals • Tools to analyze HTTP/2 • How can we start using HTTP/2?
- 3. Who am I? @mihailstoynov • Day job: sty.bz • Java • Security audits, web pen testing, sec tools • Training, travelling, • Hobby: jug.bg • Java evangelism -> organizing events • Java patches, writing manuals, early adoption
- 4. Greatest accomplishment so far
- 5. What is the problem? • The CNN homepage has 157 resources: • HTTP/1.0 – allows only one connection per request • This means 157 connections have to be created • HTTP/1.1 has keep-alive • Allows reusing of connections, but it is serial • If one request is slow, others wait • Headers are repeated all the time
- 6. HTTP/2 history; streams and frames • HTTP/2 began as SPDY • Developed by Google and silently used • Gmail, google.com, … • Became a standard on February 17, 2015 (HTTP/1.1 was born 1997) • HTTP/2 defines streams (bidirectional sequence of data) • One TCP connection can have multiple streams • Streams are not raw, they are typed • The structure inside a stream is called a frame • Frame types: HEADERS, DATA, SETTINGS, PUSH_PROMISE • A request/response in http2 is HEADERS/DATA
- 7. HTTP/2 enabled websites • twitter.com • facebook.com • technically not http/2 • spdy/3.1 • webtide.com • And of course: • jprime.io • The only one supporting http/2 without encryption (h2c), yey
- 9. How do we know a site is on HTTP/2? • Browsers don't tell • Developer tools are somewhat helpful • Headers can be a hint
- 11. How do we know a site is on HTTP/2? • Browser plugins • Yeah, you can install it right now and follow the demos
- 12. Tools to help analyze http2 traffic • Burp Suite – NO • ZAP – NO • cURL – NO (you have to build it yourself, I tried and gave up) • Wireshark • Wireshark can't mitm ssl, can only read ssl with a private key • Browsers support only strong crypto with http2 • Perfect Forward Secrecy • https://en.wikipedia.org/wiki/Forward_secrecy • Diffie-Hellman key exchange (DHE-RSA, DHE-DSS) • Wireshark is useless in this scenario
- 13. How can I start using HTTP/2? • https://github.com/http2/http2-spec/wiki/Implementations • Java apps • Tomcat – NO • Undertow - Limited • Jetty - extensive support • Nginx just released 1.9.5 that supports http2 • Apache after 2.4.17
- 14. Main demo site
- 15. https://jprime.io • Supports HTTP/2 • You can test it • Real SSL certificate • Supports protocol ids: h2 • Negotiation: ALPN, NPN, direct • No upgrade supported
- 16. h2 vs h2c (protocol identifiers) • h2 denotes HTTP/2 over TLS with ALPN for negotiation • h2c denotes cleartext HTTP/2 with direct negotiation • h2-14, h2c-14 – stands for draft 14 • h2-15, h2c-15 – stands for draft 15 • h2-16, h2c-16 – stands for draft 16 • h2-17, h2c-17 – stands for draft 17 • h2, h2c – the official spec impl • SPDY/3.1: Google's first version of the HTTP/2 spec, formed the basis of HTTP/2
- 17. ALPN • Application-Layer Protocol Negotiation is a TLS extension for protocol resolution • This is how the servers/clients discover http2 (only for ssl) • Example from Chrome (doesn't support h2c):
- 18. https://jprime.io:8443 (bad cypher) • Supports HTTP/2 • You can test it • Real SSL certificate • Supports protocol ids: h2 • Negotiation: ALPN, NPN, direct • No upgrade • Bad cyphers in this example • ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3- SHA:RC4-MD5;
- 19. TLS 1.2 Cypher Suites • A deployment of HTTP/2 over TLS 1.2 SHOULD NOT use any of the cipher suites that are listed in the cipher suite black list • https://http2.github.io/http2-spec/#BadCipherSuites
- 20. http://jprime.io:81 (h2c) • Try it – it fails • The browsers refuse http/2 without ssl (h2c) • Firefox shows garbage result • Chrome downloads a binary file
- 21. The h2c client • Jetty supports h2c and can act as a client • we can write a small client app • And sniff the data with wireshark
- 23. Direct or Upgrade • When no TLS, HTTP/2 is discovered: • Upgrade header from client • Server switches to http2 in the same connection (note the h2c)
- 24. Direct or Upgrade • Direct (we "know" there is http2) • Then we directly do the HTTP/2 Connection Preface • Final confirmation of the protocol in use and to establish the initial settings for the HTTP/2 connection • The purpose of the connection preface is to stop http/1.1 servers from sending data in case of error
- 25. A typical request/response • Client: MAGIC (connection preface), SETTINGS • Client: HEADERS http1: req.headers • Server: SETTINGS, WINDOW_UPDATE • Client: SETTINGS • Server: HEADERS http1: res.headers • Server: DATA http1: res.body • Server: DATA • Server: DATA • Server: DATA • Client: GOAWAY
- 26. Decrypting DATA
- 27. Jetty • Jetty • java -jar $JETTY_HOME/start.jar --add-to-startd=http,https,deploy • java -jar $JETTY_HOME/start.jar --add-to-startd=http2,http2c • java -jar $JETTY_HOME/start.jar
- 28. Q&A Article and examples WILL be available at mihail.stoynov.com