HTTP/2 in Examples

Agenda• Who am I?• What is the problem?• HTTP/2• Enabled websites• Analyzing HTTP/2• How do we know a site is using HTTP/2• Chrome internals• Tools to analyze HTTP/2• How can we start using HTTP/2?

Who am I? @mihailstoynov

• Day job: sty.bz• Java• Security audits, web pen testing, sec tools• Training, travelling,

• Hobby: jug.bg• Java evangelism -> organizing events• Java patches, writing manuals, early adoption

Greatest accomplishment so far

What is the problem?• The CNN homepage has 157 resources:

• HTTP/1.0 – allows only one connection per request• This means 157 connections have to be created

• HTTP/1.1 has keep-alive• Allows reusing of connections, but it is serial• If one request is slow, others wait

• Headers are repeated all the time

HTTP/2 history; streams and frames• HTTP/2 began as SPDY• Developed by Google and silently used• Gmail, google.com, …

• Became a standard on February 17, 2015 (HTTP/1.1 was born 1997)

• HTTP/2 defines streams (bidirectional sequence of data)• One TCP connection can have multiple streams

• Streams are not raw, they are typed• The structure inside a stream is called a frame

• Frame types: HEADERS, DATA, SETTINGS, PUSH_PROMISE• A request/response in http2 is HEADERS/DATA

HTTP/2 enabled websites• twitter.com

• facebook.com• technically not http/2• spdy/3.1

• webtide.com

• And of course:• jprime.io• The only one supporting http/2 without encryption (h2c), yey

Analyzing HTTP2

How do we know a site is on HTTP/2?• Browsers don't tell• Developer tools are somewhat helpful

• Headers can be a hint

chrome://net-internals/#http2

How do we know a site is on HTTP/2?• Browser plugins• Yeah, you can install it right now and follow the demos

Tools to help analyze http2 traffic• Burp Suite – NO• ZAP – NO• cURL – NO (you have to build it yourself, I tried and gave up)

• Wireshark• Wireshark can't mitm ssl, can only read ssl with a private key• Browsers support only strong crypto with http2• Perfect Forward Secrecy• https://en.wikipedia.org/wiki/Forward_secrecy• Diffie-Hellman key exchange (DHE-RSA, DHE-DSS)• Wireshark is useless in this scenario

How can I start using HTTP/2?• https://github.com/http2/http2-spec/wiki/Implementations• Java apps• Tomcat – NO• Undertow - Limited• Jetty - extensive support

• Nginx just released 1.9.5 that supports http2• Apache after 2.4.17

Main demo site

https://jprime.io• Supports HTTP/2• You can test it

• Real SSL certificate

• Supports protocol ids: h2

• Negotiation: ALPN, NPN, direct• No upgrade supported

h2 vs h2c (protocol identifiers)• h2 denotes HTTP/2 over TLS with ALPN for negotiation• h2c denotes cleartext HTTP/2 with direct negotiation

• h2-14, h2c-14 – stands for draft 14• h2-15, h2c-15 – stands for draft 15• h2-16, h2c-16 – stands for draft 16• h2-17, h2c-17 – stands for draft 17• h2, h2c – the official spec impl

• SPDY/3.1: Google's first version of the HTTP/2 spec, formed the basis of HTTP/2

ALPN• Application-Layer Protocol Negotiation is a TLS extension for

protocol resolution• This is how the servers/clients discover http2 (only for ssl)• Example from Chrome (doesn't support h2c):

https://jprime.io:8443 (bad cypher) • Supports HTTP/2• You can test it

• Real SSL certificate• Supports protocol ids: h2• Negotiation: ALPN, NPN, direct• No upgrade

• Bad cyphers in this example• ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-

SHA:RC4-MD5;

TLS 1.2 Cypher Suites• A deployment of HTTP/2 over TLS 1.2 SHOULD NOT use any of the

cipher suites that are listed in the cipher suite black list• https://http2.github.io/http2-spec/#BadCipherSuites

http://jprime.io:81 (h2c)• Try it – it fails• The browsers refuse http/2 without ssl (h2c)

• Firefox shows garbage result• Chrome downloads a binary file

The h2c client• Jetty supports h2c and can act as a client• we can write a small client app• And sniff the data with wireshark

http2 with wireshark

Direct or Upgrade• When no TLS, HTTP/2 is discovered:• Upgrade header from client

• Server switches to http2 in the same connection (note the h2c)

Direct or Upgrade• Direct (we "know" there is http2)• Then we directly do the

HTTP/2 Connection Preface• Final confirmation of the protocol

in use and to establish the initial settings for the HTTP/2 connection

• The purpose of the connection preface is to stop http/1.1 servers from sending data in case of error

A typical request/response• Client: MAGIC (connection preface), SETTINGS• Client: HEADERS http1: req.headers• Server: SETTINGS, WINDOW_UPDATE• Client: SETTINGS• Server: HEADERS http1: res.headers• Server: DATA http1: res.body• Server: DATA• Server: DATA• Server: DATA• Client: GOAWAY

Decrypting DATA

Jetty• Jetty• java -jar $JETTY_HOME/start.jar --add-to-startd=http,https,deploy• java -jar $JETTY_HOME/start.jar --add-to-startd=http2,http2c• java -jar $JETTY_HOME/start.jar

Q&A

Article and examples WILL be available atmihail.stoynov.com