Techly NewsGet the app

Get the latest tech news

HTTP/1.1 must die: the desync endgame


Abstract Upstream HTTP/1.1 is inherently insecure and regularly exposes millions of websites to hostile takeover. Six years of attempted mitigations have hidden the issue, but failed to fix it. This p

This means that an attacker who finds the tiniest parser discrepancy in the server chain can cause a desync, apply a malicious prefix to other users' requests, and usually achieve complete site takeover: CL (Content-Length) TE (Transfer-Encoding) 0 (Implicit-zero) H2 (HTTP/2's built-in length) HTTP/1.1 may look secure at first glance because if you apply the original request smuggling methodology and toolkit, you'll have a hard time causing a desync. Note that HTTP/2 downgrading, where front-end servers speak HTTP/2 with clients but rewrite it as HTTP/1.1 for upstream communication, provides minimal security benefit and actually makes websites more exposed to desync attacks.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of endgame

endgame

Photo of desync

desync

Related news:

News photo

The endgame gets better: Dune: Awakening vastly expands PvE portion of the Deep Desert in its new public test server

News photo

The next season of Diablo IV adds extra challenges to the endgame

News photo

Zuckerberg’s Pivot Toward Trump Raises Questions About Endgame

« Show HN: Edka – Kubernetes clusters on your own Hetzner account
Imagen 4 is now generally available »