What is Http2? How is it supported in Java? How easy is to implement it? Why is it so much faster? This session is the answer and a practical demonstration of how easy it is to migrate to the next gen of http
We'll see several live http2 sessions as examples and we'll analyze them
2. Agenda
• Who am I?
• What is the problem?
• HTTP/2
• Enabled websites
• Analyzing HTTP/2
• How do we know a site is using HTTP/2
• Chrome internals
• Tools to analyze HTTP/2
• How can we start using HTTP/2?
3. Who am I? @mihailstoynov
• Day job: sty.bz
• Java
• Security audits, web pen testing, sec tools
• Training, travelling,
• Hobby: jug.bg
• Java evangelism -> organizing events
• Java patches, writing manuals, early adoption
5. What is the problem?
• The CNN homepage has 157 resources:
• HTTP/1.0 – allows only one connection per request
• This means 157 connections have to be created
• HTTP/1.1 has keep-alive
• Allows reusing of connections, but it is serial
• If one request is slow, others wait
• Headers are repeated all the time
6. HTTP/2 history; streams and frames
• HTTP/2 began as SPDY
• Developed by Google and silently used
• Gmail, google.com, …
• Became a standard on February 17, 2015 (HTTP/1.1 was born 1997)
• HTTP/2 defines streams (bidirectional sequence of data)
• One TCP connection can have multiple streams
• Streams are not raw, they are typed
• The structure inside a stream is called a frame
• Frame types: HEADERS, DATA, SETTINGS, PUSH_PROMISE
• A request/response in http2 is HEADERS/DATA
7. HTTP/2 enabled websites
• twitter.com
• facebook.com
• technically not http/2
• spdy/3.1
• webtide.com
• And of course:
• jprime.io
• The only one supporting http/2 without encryption (h2c), yey
11. How do we know a site is on HTTP/2?
• Browser plugins
• Yeah, you can install it right now and follow the demos
12. Tools to help analyze http2 traffic
• Burp Suite – NO
• ZAP – NO
• cURL – NO (you have to build it yourself, I tried and gave up)
• Wireshark
• Wireshark can't mitm ssl, can only read ssl with a private key
• Browsers support only strong crypto with http2
• Perfect Forward Secrecy
• https://en.wikipedia.org/wiki/Forward_secrecy
• Diffie-Hellman key exchange (DHE-RSA, DHE-DSS)
• Wireshark is useless in this scenario
13. How can I start using HTTP/2?
• https://github.com/http2/http2-spec/wiki/Implementations
• Java apps
• Tomcat – NO
• Undertow - Limited
• Jetty - extensive support
• Nginx just released 1.9.5 that supports http2
• Apache after 2.4.17
15. https://jprime.io
• Supports HTTP/2
• You can test it
• Real SSL certificate
• Supports protocol ids: h2
• Negotiation: ALPN, NPN, direct
• No upgrade supported
16. h2 vs h2c (protocol identifiers)
• h2 denotes HTTP/2 over TLS with ALPN for negotiation
• h2c denotes cleartext HTTP/2 with direct negotiation
• h2-14, h2c-14 – stands for draft 14
• h2-15, h2c-15 – stands for draft 15
• h2-16, h2c-16 – stands for draft 16
• h2-17, h2c-17 – stands for draft 17
• h2, h2c – the official spec impl
• SPDY/3.1: Google's first version of the HTTP/2 spec, formed the
basis of HTTP/2
17. ALPN
• Application-Layer Protocol Negotiation is a TLS extension for
protocol resolution
• This is how the servers/clients discover http2 (only for ssl)
• Example from Chrome (doesn't support h2c):
18. https://jprime.io:8443 (bad cypher)
• Supports HTTP/2
• You can test it
• Real SSL certificate
• Supports protocol ids: h2
• Negotiation: ALPN, NPN, direct
• No upgrade
• Bad cyphers in this example
• ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-
SHA:RC4-MD5;
19. TLS 1.2 Cypher Suites
• A deployment of HTTP/2 over TLS 1.2 SHOULD NOT use any of the
cipher suites that are listed in the cipher suite black list
• https://http2.github.io/http2-spec/#BadCipherSuites
20. http://jprime.io:81 (h2c)
• Try it – it fails
• The browsers refuse http/2 without ssl (h2c)
• Firefox shows garbage result
• Chrome downloads a binary file
21. The h2c client
• Jetty supports h2c and can act as a client
• we can write a small client app
• And sniff the data with wireshark
23. Direct or Upgrade
• When no TLS, HTTP/2 is discovered:
• Upgrade header from client
• Server switches to http2 in the same connection (note the h2c)
24. Direct or Upgrade
• Direct (we "know" there is http2)
• Then we directly do the
HTTP/2 Connection Preface
• Final confirmation of the protocol
in use and to establish the initial
settings for the HTTP/2 connection
• The purpose of the connection preface is to stop http/1.1 servers
from sending data in case of error
25. A typical request/response
• Client: MAGIC (connection preface), SETTINGS
• Client: HEADERS http1: req.headers
• Server: SETTINGS, WINDOW_UPDATE
• Client: SETTINGS
• Server: HEADERS http1: res.headers
• Server: DATA http1: res.body
• Server: DATA
• Server: DATA
• Server: DATA
• Client: GOAWAY