HTTP/2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred “on the wire” by introducing a full binary protocol that is made up of TCP connections, streams, and frames, rather than a plain-text protocol. Such a fundamental change from HTTP/1.x to HTTP/2, means that client-side and server-side implementations have to incorporate completely new code in order to support new HTTP/2 features. This introduces nuances in protocol implementations, which, in return, might be used to passively fingerprint web clients.
Our research is based on more than 10 million HTTP/2 connections from which we extracted fingerprints for over 40,000 unique user agents across hundreds of implementations.
In the presentation, we intend provide the following:
*HTTP/2 Overview
- Introduction into the basic elements of the protocol
- a review the different components chosen for the fingerprint format (alongside a discussion on those left out)
- Potential use cases of the proposed fingerprint
- Usage Statistics - prevalence of HTTP/2 usage on Akamai’s platform
*Examples of common HTTP/2 Implementations & Client fingerprints collected during the research
*HTTP/2 support (or the lack of) among common web security tools (Burp suite, sqlmap, etc.)
*Review of attacks over HTTP/2 observed on Akamai’s platform
3. The Intelligent Platform
▸220,000+ Edge Servers
▸3,315+ Locations
▸1200+ Cities
▸129 Countries
▸1,227+ Networks
▸60 Tbps at last peak
The Data
▸3 trillion hits per day
▸1 Billion unique IPs seen quarterly
▸13+ trillion log lines per day
▸260+ TB of compressed daily logs
15 - 30% of all web traffichttp://wwwnui.akamai.com/gnet/globe/
http://tech.akamai.com/attack-globe/
AKAMAI
7. HTTP/2 OVERVIEW
▸Based on the SPDY protocol (developed by )
▸Published during 2015:
▸RFC 7540: Hypertext Transfer Protocol Version 2 (HTTP/2)
▸RFC 7541: HPACK: Header Compression for HTTP/2
▸Addresses (performance) challenges in HTTP/1.1
Akamai is a leading CDN
with approx. two hundred thousand
edge servers world wide
we observe substantial amount
all web traffic
including http/2 traffic