Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
HTTP/2 in Examples
Agenda
• Who am I?
• What is the problem?
• HTTP/2
• Enabled websites
• Analyzing HTTP/2
• How do we know a site is using ...
Who am I? @mihailstoynov
• Day job: sty.bz
• Java
• Security audits, web pen testing, sec tools
• Training, travelling,
• ...
Greatest accomplishment so far
What is the problem?
• The CNN homepage has 157 resources:
• HTTP/1.0 – allows only one connection per request
• This mean...
HTTP/2 history; streams and frames
• HTTP/2 began as SPDY
• Developed by Google and silently used
• Gmail, google.com, …
•...
HTTP/2 enabled websites
• twitter.com
• facebook.com
• technically not http/2
• spdy/3.1
• webtide.com
• And of course:
• ...
Analyzing HTTP2
How do we know a site is on HTTP/2?
• Browsers don't tell
• Developer tools are somewhat helpful
• Headers can be a hint
chrome://net-internals/#http2
How do we know a site is on HTTP/2?
• Browser plugins
• Yeah, you can install it right now and follow the demos
Tools to help analyze http2 traffic
• Burp Suite – NO
• ZAP – NO
• cURL – NO (you have to build it yourself, I tried and g...
How can I start using HTTP/2?
• https://github.com/http2/http2-spec/wiki/Implementations
• Java apps
• Tomcat – NO
• Under...
Main demo site
https://jprime.io
• Supports HTTP/2
• You can test it
• Real SSL certificate
• Supports protocol ids: h2
• Negotiation: AL...
h2 vs h2c (protocol identifiers)
• h2 denotes HTTP/2 over TLS with ALPN for negotiation
• h2c denotes cleartext HTTP/2 wit...
ALPN
• Application-Layer Protocol Negotiation is a TLS extension for
protocol resolution
• This is how the servers/clients...
https://jprime.io:8443 (bad cypher)
• Supports HTTP/2
• You can test it
• Real SSL certificate
• Supports protocol ids: h2...
TLS 1.2 Cypher Suites
• A deployment of HTTP/2 over TLS 1.2 SHOULD NOT use any of the
cipher suites that are listed in the...
http://jprime.io:81 (h2c)
• Try it – it fails
• The browsers refuse http/2 without ssl (h2c)
• Firefox shows garbage resul...
The h2c client
• Jetty supports h2c and can act as a client
• we can write a small client app
• And sniff the data with wi...
http2 with wireshark
Direct or Upgrade
• When no TLS, HTTP/2 is discovered:
• Upgrade header from client
• Server switches to http2 in the same...
Direct or Upgrade
• Direct (we "know" there is http2)
• Then we directly do the
HTTP/2 Connection Preface
• Final confirma...
A typical request/response
• Client: MAGIC (connection preface), SETTINGS
• Client: HEADERS http1: req.headers
• Server: S...
Decrypting DATA
Jetty
• Jetty
• java -jar $JETTY_HOME/start.jar --add-to-startd=http,https,deploy
• java -jar $JETTY_HOME/start.jar --add-...
Q&A
Article and examples
WILL be available at
mihail.stoynov.com
Upcoming SlideShare
Loading in …5
×

HTTP/2 in Examples

11,644 views

Published on

What is Http2? How is it supported in Java? How easy is to implement it? Why is it so much faster? This session is the answer and a practical demonstration of how easy it is to migrate to the next gen of http
We'll see several live http2 sessions as examples and we'll analyze them

Published in: Software

HTTP/2 in Examples

  1. 1. HTTP/2 in Examples
  2. 2. Agenda • Who am I? • What is the problem? • HTTP/2 • Enabled websites • Analyzing HTTP/2 • How do we know a site is using HTTP/2 • Chrome internals • Tools to analyze HTTP/2 • How can we start using HTTP/2?
  3. 3. Who am I? @mihailstoynov • Day job: sty.bz • Java • Security audits, web pen testing, sec tools • Training, travelling, • Hobby: jug.bg • Java evangelism -> organizing events • Java patches, writing manuals, early adoption
  4. 4. Greatest accomplishment so far
  5. 5. What is the problem? • The CNN homepage has 157 resources: • HTTP/1.0 – allows only one connection per request • This means 157 connections have to be created • HTTP/1.1 has keep-alive • Allows reusing of connections, but it is serial • If one request is slow, others wait • Headers are repeated all the time
  6. 6. HTTP/2 history; streams and frames • HTTP/2 began as SPDY • Developed by Google and silently used • Gmail, google.com, … • Became a standard on February 17, 2015 (HTTP/1.1 was born 1997) • HTTP/2 defines streams (bidirectional sequence of data) • One TCP connection can have multiple streams • Streams are not raw, they are typed • The structure inside a stream is called a frame • Frame types: HEADERS, DATA, SETTINGS, PUSH_PROMISE • A request/response in http2 is HEADERS/DATA
  7. 7. HTTP/2 enabled websites • twitter.com • facebook.com • technically not http/2 • spdy/3.1 • webtide.com • And of course: • jprime.io • The only one supporting http/2 without encryption (h2c), yey
  8. 8. Analyzing HTTP2
  9. 9. How do we know a site is on HTTP/2? • Browsers don't tell • Developer tools are somewhat helpful • Headers can be a hint
  10. 10. chrome://net-internals/#http2
  11. 11. How do we know a site is on HTTP/2? • Browser plugins • Yeah, you can install it right now and follow the demos
  12. 12. Tools to help analyze http2 traffic • Burp Suite – NO • ZAP – NO • cURL – NO (you have to build it yourself, I tried and gave up) • Wireshark • Wireshark can't mitm ssl, can only read ssl with a private key • Browsers support only strong crypto with http2 • Perfect Forward Secrecy • https://en.wikipedia.org/wiki/Forward_secrecy • Diffie-Hellman key exchange (DHE-RSA, DHE-DSS) • Wireshark is useless in this scenario
  13. 13. How can I start using HTTP/2? • https://github.com/http2/http2-spec/wiki/Implementations • Java apps • Tomcat – NO • Undertow - Limited • Jetty - extensive support • Nginx just released 1.9.5 that supports http2 • Apache after 2.4.17
  14. 14. Main demo site
  15. 15. https://jprime.io • Supports HTTP/2 • You can test it • Real SSL certificate • Supports protocol ids: h2 • Negotiation: ALPN, NPN, direct • No upgrade supported
  16. 16. h2 vs h2c (protocol identifiers) • h2 denotes HTTP/2 over TLS with ALPN for negotiation • h2c denotes cleartext HTTP/2 with direct negotiation • h2-14, h2c-14 – stands for draft 14 • h2-15, h2c-15 – stands for draft 15 • h2-16, h2c-16 – stands for draft 16 • h2-17, h2c-17 – stands for draft 17 • h2, h2c – the official spec impl • SPDY/3.1: Google's first version of the HTTP/2 spec, formed the basis of HTTP/2
  17. 17. ALPN • Application-Layer Protocol Negotiation is a TLS extension for protocol resolution • This is how the servers/clients discover http2 (only for ssl) • Example from Chrome (doesn't support h2c):
  18. 18. https://jprime.io:8443 (bad cypher) • Supports HTTP/2 • You can test it • Real SSL certificate • Supports protocol ids: h2 • Negotiation: ALPN, NPN, direct • No upgrade • Bad cyphers in this example • ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3- SHA:RC4-MD5;
  19. 19. TLS 1.2 Cypher Suites • A deployment of HTTP/2 over TLS 1.2 SHOULD NOT use any of the cipher suites that are listed in the cipher suite black list • https://http2.github.io/http2-spec/#BadCipherSuites
  20. 20. http://jprime.io:81 (h2c) • Try it – it fails • The browsers refuse http/2 without ssl (h2c) • Firefox shows garbage result • Chrome downloads a binary file
  21. 21. The h2c client • Jetty supports h2c and can act as a client • we can write a small client app • And sniff the data with wireshark
  22. 22. http2 with wireshark
  23. 23. Direct or Upgrade • When no TLS, HTTP/2 is discovered: • Upgrade header from client • Server switches to http2 in the same connection (note the h2c)
  24. 24. Direct or Upgrade • Direct (we "know" there is http2) • Then we directly do the HTTP/2 Connection Preface • Final confirmation of the protocol in use and to establish the initial settings for the HTTP/2 connection • The purpose of the connection preface is to stop http/1.1 servers from sending data in case of error
  25. 25. A typical request/response • Client: MAGIC (connection preface), SETTINGS • Client: HEADERS http1: req.headers • Server: SETTINGS, WINDOW_UPDATE • Client: SETTINGS • Server: HEADERS http1: res.headers • Server: DATA http1: res.body • Server: DATA • Server: DATA • Server: DATA • Client: GOAWAY
  26. 26. Decrypting DATA
  27. 27. Jetty • Jetty • java -jar $JETTY_HOME/start.jar --add-to-startd=http,https,deploy • java -jar $JETTY_HOME/start.jar --add-to-startd=http2,http2c • java -jar $JETTY_HOME/start.jar
  28. 28. Q&A Article and examples WILL be available at mihail.stoynov.com

×