HTTP/2 in Examples
-
Upload
mihail-stoynov -
Category
Software
-
view
4.450 -
download
2
Transcript of HTTP/2 in Examples
HTTP/2 in Examples
Agenda• Who am I?• What is the problem?• HTTP/2• Enabled websites• Analyzing HTTP/2• How do we know a site is using HTTP/2• Chrome internals• Tools to analyze HTTP/2• How can we start using HTTP/2?
Who am I? @mihailstoynov
• Day job: sty.bz• Java• Security audits, web pen testing, sec tools• Training, travelling,
• Hobby: jug.bg• Java evangelism -> organizing events• Java patches, writing manuals, early adoption
Greatest accomplishment so far
What is the problem?• The CNN homepage has 157 resources:
• HTTP/1.0 – allows only one connection per request• This means 157 connections have to be created
• HTTP/1.1 has keep-alive• Allows reusing of connections, but it is serial• If one request is slow, others wait
• Headers are repeated all the time
HTTP/2 history; streams and frames• HTTP/2 began as SPDY• Developed by Google and silently used• Gmail, google.com, …
• Became a standard on February 17, 2015 (HTTP/1.1 was born 1997)
• HTTP/2 defines streams (bidirectional sequence of data)• One TCP connection can have multiple streams
• Streams are not raw, they are typed• The structure inside a stream is called a frame
• Frame types: HEADERS, DATA, SETTINGS, PUSH_PROMISE• A request/response in http2 is HEADERS/DATA
HTTP/2 enabled websites• twitter.com
• facebook.com• technically not http/2• spdy/3.1
• webtide.com
• And of course:• jprime.io• The only one supporting http/2 without encryption (h2c), yey
Analyzing HTTP2
How do we know a site is on HTTP/2?• Browsers don't tell• Developer tools are somewhat helpful
• Headers can be a hint
chrome://net-internals/#http2
How do we know a site is on HTTP/2?• Browser plugins• Yeah, you can install it right now and follow the demos
Tools to help analyze http2 traffic• Burp Suite – NO• ZAP – NO• cURL – NO (you have to build it yourself, I tried and gave up)
• Wireshark• Wireshark can't mitm ssl, can only read ssl with a private key• Browsers support only strong crypto with http2• Perfect Forward Secrecy• https://en.wikipedia.org/wiki/Forward_secrecy• Diffie-Hellman key exchange (DHE-RSA, DHE-DSS)• Wireshark is useless in this scenario
How can I start using HTTP/2?• https://github.com/http2/http2-spec/wiki/Implementations• Java apps• Tomcat – NO• Undertow - Limited• Jetty - extensive support
• Nginx just released 1.9.5 that supports http2• Apache after 2.4.17
Main demo site
https://jprime.io• Supports HTTP/2• You can test it
• Real SSL certificate
• Supports protocol ids: h2
• Negotiation: ALPN, NPN, direct• No upgrade supported
h2 vs h2c (protocol identifiers)• h2 denotes HTTP/2 over TLS with ALPN for negotiation• h2c denotes cleartext HTTP/2 with direct negotiation
• h2-14, h2c-14 – stands for draft 14• h2-15, h2c-15 – stands for draft 15• h2-16, h2c-16 – stands for draft 16• h2-17, h2c-17 – stands for draft 17• h2, h2c – the official spec impl
• SPDY/3.1: Google's first version of the HTTP/2 spec, formed the basis of HTTP/2
ALPN• Application-Layer Protocol Negotiation is a TLS extension for
protocol resolution• This is how the servers/clients discover http2 (only for ssl)• Example from Chrome (doesn't support h2c):
https://jprime.io:8443 (bad cypher) • Supports HTTP/2• You can test it
• Real SSL certificate• Supports protocol ids: h2• Negotiation: ALPN, NPN, direct• No upgrade
• Bad cyphers in this example• ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-
SHA:RC4-MD5;
TLS 1.2 Cypher Suites• A deployment of HTTP/2 over TLS 1.2 SHOULD NOT use any of the
cipher suites that are listed in the cipher suite black list• https://http2.github.io/http2-spec/#BadCipherSuites
http://jprime.io:81 (h2c)• Try it – it fails• The browsers refuse http/2 without ssl (h2c)
• Firefox shows garbage result• Chrome downloads a binary file
The h2c client• Jetty supports h2c and can act as a client• we can write a small client app• And sniff the data with wireshark
http2 with wireshark
Direct or Upgrade• When no TLS, HTTP/2 is discovered:• Upgrade header from client
• Server switches to http2 in the same connection (note the h2c)
Direct or Upgrade• Direct (we "know" there is http2)• Then we directly do the
HTTP/2 Connection Preface• Final confirmation of the protocol
in use and to establish the initial settings for the HTTP/2 connection
• The purpose of the connection preface is to stop http/1.1 servers from sending data in case of error
A typical request/response• Client: MAGIC (connection preface), SETTINGS• Client: HEADERS http1: req.headers• Server: SETTINGS, WINDOW_UPDATE• Client: SETTINGS• Server: HEADERS http1: res.headers• Server: DATA http1: res.body• Server: DATA• Server: DATA• Server: DATA• Client: GOAWAY
Decrypting DATA
Jetty• Jetty• java -jar $JETTY_HOME/start.jar --add-to-startd=http,https,deploy• java -jar $JETTY_HOME/start.jar --add-to-startd=http2,http2c• java -jar $JETTY_HOME/start.jar