W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2021

Attack research on HTTP/2 implementations

From: Martin Thomson <mt@lowentropy.net>
Date: Fri, 06 Aug 2021 10:43:00 +1000
Message-Id: <505547fe-236c-479a-a3ae-b9c91c6b539c@www.fastmail.com>
To: ietf-http-wg@w3.org
https://portswigger.net/research/http2

The introduction claims to have found imperfections in the RFC, so I read this fairly carefully.  There's solid work here in terms of attacking implementations, but no concrete specification problems.

In terms of actual changes to specifications, the work we did in the HTTP/2 revision on field validation should already cover all of these attacks.  Not that RFC 7540 didn't, but we're a lot, lot clearer about it now.

There's a lesson in here for our industry regarding how implementations deal with untrustworthy inputs.  The thing we might each reflect on is why we haven't already internalized that lesson.  It's not like this is a new class of attack or anything.
Received on Friday, 6 August 2021 00:46:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 6 August 2021 00:46:13 UTC