SlideShare a Scribd company logo
HTTP/2 in Examples
Agenda
• Who am I?
• What is the problem?
• HTTP/2
• Enabled websites
• Analyzing HTTP/2
• How do we know a site is using HTTP/2
• Chrome internals
• Tools to analyze HTTP/2
• How can we start using HTTP/2?
Who am I? @mihailstoynov
• Day job: sty.bz
• Java
• Security audits, web pen testing, sec tools
• Training, travelling,
• Hobby: jug.bg
• Java evangelism -> organizing events
• Java patches, writing manuals, early adoption
Greatest accomplishment so far
What is the problem?
• The CNN homepage has 157 resources:
• HTTP/1.0 – allows only one connection per request
• This means 157 connections have to be created
• HTTP/1.1 has keep-alive
• Allows reusing of connections, but it is serial
• If one request is slow, others wait
• Headers are repeated all the time
HTTP/2 history; streams and frames
• HTTP/2 began as SPDY
• Developed by Google and silently used
• Gmail, google.com, …
• Became a standard on February 17, 2015 (HTTP/1.1 was born 1997)
• HTTP/2 defines streams (bidirectional sequence of data)
• One TCP connection can have multiple streams
• Streams are not raw, they are typed
• The structure inside a stream is called a frame
• Frame types: HEADERS, DATA, SETTINGS, PUSH_PROMISE
• A request/response in http2 is HEADERS/DATA
HTTP/2 enabled websites
• twitter.com
• facebook.com
• technically not http/2
• spdy/3.1
• webtide.com
• And of course:
• jprime.io
• The only one supporting http/2 without encryption (h2c), yey
Analyzing HTTP2
How do we know a site is on HTTP/2?
• Browsers don't tell
• Developer tools are somewhat helpful
• Headers can be a hint
chrome://net-internals/#http2
How do we know a site is on HTTP/2?
• Browser plugins
• Yeah, you can install it right now and follow the demos
Tools to help analyze http2 traffic
• Burp Suite – NO
• ZAP – NO
• cURL – NO (you have to build it yourself, I tried and gave up)
• Wireshark
• Wireshark can't mitm ssl, can only read ssl with a private key
• Browsers support only strong crypto with http2
• Perfect Forward Secrecy
• https://en.wikipedia.org/wiki/Forward_secrecy
• Diffie-Hellman key exchange (DHE-RSA, DHE-DSS)
• Wireshark is useless in this scenario
How can I start using HTTP/2?
• https://github.com/http2/http2-spec/wiki/Implementations
• Java apps
• Tomcat – NO
• Undertow - Limited
• Jetty - extensive support
• Nginx just released 1.9.5 that supports http2
• Apache after 2.4.17
Main demo site
https://jprime.io
• Supports HTTP/2
• You can test it
• Real SSL certificate
• Supports protocol ids: h2
• Negotiation: ALPN, NPN, direct
• No upgrade supported
h2 vs h2c (protocol identifiers)
• h2 denotes HTTP/2 over TLS with ALPN for negotiation
• h2c denotes cleartext HTTP/2 with direct negotiation
• h2-14, h2c-14 – stands for draft 14
• h2-15, h2c-15 – stands for draft 15
• h2-16, h2c-16 – stands for draft 16
• h2-17, h2c-17 – stands for draft 17
• h2, h2c – the official spec impl
• SPDY/3.1: Google's first version of the HTTP/2 spec, formed the
basis of HTTP/2
ALPN
• Application-Layer Protocol Negotiation is a TLS extension for
protocol resolution
• This is how the servers/clients discover http2 (only for ssl)
• Example from Chrome (doesn't support h2c):
https://jprime.io:8443 (bad cypher)
• Supports HTTP/2
• You can test it
• Real SSL certificate
• Supports protocol ids: h2
• Negotiation: ALPN, NPN, direct
• No upgrade
• Bad cyphers in this example
• ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-
SHA:RC4-MD5;
TLS 1.2 Cypher Suites
• A deployment of HTTP/2 over TLS 1.2 SHOULD NOT use any of the
cipher suites that are listed in the cipher suite black list
• https://http2.github.io/http2-spec/#BadCipherSuites
http://jprime.io:81 (h2c)
• Try it – it fails
• The browsers refuse http/2 without ssl (h2c)
• Firefox shows garbage result
• Chrome downloads a binary file
The h2c client
• Jetty supports h2c and can act as a client
• we can write a small client app
• And sniff the data with wireshark
http2 with wireshark
Direct or Upgrade
• When no TLS, HTTP/2 is discovered:
• Upgrade header from client
• Server switches to http2 in the same connection (note the h2c)
Direct or Upgrade
• Direct (we "know" there is http2)
• Then we directly do the
HTTP/2 Connection Preface
• Final confirmation of the protocol
in use and to establish the initial
settings for the HTTP/2 connection
• The purpose of the connection preface is to stop http/1.1 servers
from sending data in case of error
A typical request/response
• Client: MAGIC (connection preface), SETTINGS
• Client: HEADERS http1: req.headers
• Server: SETTINGS, WINDOW_UPDATE
• Client: SETTINGS
• Server: HEADERS http1: res.headers
• Server: DATA http1: res.body
• Server: DATA
• Server: DATA
• Server: DATA
• Client: GOAWAY
Decrypting DATA
Jetty
• Jetty
• java -jar $JETTY_HOME/start.jar --add-to-startd=http,https,deploy
• java -jar $JETTY_HOME/start.jar --add-to-startd=http2,http2c
• java -jar $JETTY_HOME/start.jar
Q&A
Article and examples
WILL be available at
mihail.stoynov.com

More Related Content

What's hot

Hibernate performance tuning
Hibernate performance tuningHibernate performance tuning
Hibernate performance tuning
Sander Mak (@Sander_Mak)
 
Email deliverability
Email deliverabilityEmail deliverability
Email deliverability
Anton Panaitesco
 
Economic geology - Magmatic ore deposits 2
Economic geology - Magmatic ore deposits 2Economic geology - Magmatic ore deposits 2
Economic geology - Magmatic ore deposits 2
AbdelMonem Soltan
 
Siltstone - a complete guide
Siltstone  - a complete guideSiltstone  - a complete guide
Siltstone - a complete guide
World of Stones USA
 
rocks in pakistan.docx
rocks in pakistan.docxrocks in pakistan.docx
rocks in pakistan.docx
JunaidIqbal167
 
ppt on summer training at hindustan copper limited
ppt on summer training at hindustan copper limitedppt on summer training at hindustan copper limited
ppt on summer training at hindustan copper limited
mahi bagriya
 
Building stones II
Building stones IIBuilding stones II
Building stones II
GAURAV. H .TANDON
 
Mineralogy, Mode of occurrence, Distribution of India , Origin and use in ec...
Mineralogy, Mode of occurrence, Distribution of  India , Origin and use in ec...Mineralogy, Mode of occurrence, Distribution of  India , Origin and use in ec...
Mineralogy, Mode of occurrence, Distribution of India , Origin and use in ec...
Thomas Chinnappan
 
Surface indication of subsurface oil and gas accumulation
Surface indication of subsurface oil and gas accumulationSurface indication of subsurface oil and gas accumulation
Surface indication of subsurface oil and gas accumulation
Clinton Mushahary
 
Kutch
KutchKutch
Kutch
SYED NAWAZ
 
Sampling techniques for mineral deposit
Sampling techniques for mineral depositSampling techniques for mineral deposit
Sampling techniques for mineral deposit
Pramoda Raj
 
Mining objective
Mining objectiveMining objective
Mining objective
Bhaskar Naidu
 
Iron ore deposits of india
Iron ore deposits of  indiaIron ore deposits of  india
Iron ore deposits of india
Pramoda Raj
 
First class mine manager exam (UR) legislation question papers 2002-10
First class mine manager exam (UR)  legislation question papers 2002-10First class mine manager exam (UR)  legislation question papers 2002-10
First class mine manager exam (UR) legislation question papers 2002-10
Mohit Singh
 
Uranium Ore Deposits
Uranium Ore DepositsUranium Ore Deposits
Cv english-harraz
Cv english-harrazCv english-harraz
ReST API Security
ReST API SecurityReST API Security
ReST API Security
Younes Jaaidi
 
Placer gold mining in alaska
Placer gold mining in alaskaPlacer gold mining in alaska
Placer gold mining in alaska
Dylan McFarlane
 
Geology mcq
Geology mcqGeology mcq
Geology mcq
Hafeez Thebo
 
The mineral reserves & reserves estimation using triangular methods
The mineral reserves & reserves estimation using triangular methods The mineral reserves & reserves estimation using triangular methods
The mineral reserves & reserves estimation using triangular methods
Numan Hossain
 

What's hot (20)

Hibernate performance tuning
Hibernate performance tuningHibernate performance tuning
Hibernate performance tuning
 
Email deliverability
Email deliverabilityEmail deliverability
Email deliverability
 
Economic geology - Magmatic ore deposits 2
Economic geology - Magmatic ore deposits 2Economic geology - Magmatic ore deposits 2
Economic geology - Magmatic ore deposits 2
 
Siltstone - a complete guide
Siltstone  - a complete guideSiltstone  - a complete guide
Siltstone - a complete guide
 
rocks in pakistan.docx
rocks in pakistan.docxrocks in pakistan.docx
rocks in pakistan.docx
 
ppt on summer training at hindustan copper limited
ppt on summer training at hindustan copper limitedppt on summer training at hindustan copper limited
ppt on summer training at hindustan copper limited
 
Building stones II
Building stones IIBuilding stones II
Building stones II
 
Mineralogy, Mode of occurrence, Distribution of India , Origin and use in ec...
Mineralogy, Mode of occurrence, Distribution of  India , Origin and use in ec...Mineralogy, Mode of occurrence, Distribution of  India , Origin and use in ec...
Mineralogy, Mode of occurrence, Distribution of India , Origin and use in ec...
 
Surface indication of subsurface oil and gas accumulation
Surface indication of subsurface oil and gas accumulationSurface indication of subsurface oil and gas accumulation
Surface indication of subsurface oil and gas accumulation
 
Kutch
KutchKutch
Kutch
 
Sampling techniques for mineral deposit
Sampling techniques for mineral depositSampling techniques for mineral deposit
Sampling techniques for mineral deposit
 
Mining objective
Mining objectiveMining objective
Mining objective
 
Iron ore deposits of india
Iron ore deposits of  indiaIron ore deposits of  india
Iron ore deposits of india
 
First class mine manager exam (UR) legislation question papers 2002-10
First class mine manager exam (UR)  legislation question papers 2002-10First class mine manager exam (UR)  legislation question papers 2002-10
First class mine manager exam (UR) legislation question papers 2002-10
 
Uranium Ore Deposits
Uranium Ore DepositsUranium Ore Deposits
Uranium Ore Deposits
 
Cv english-harraz
Cv english-harrazCv english-harraz
Cv english-harraz
 
ReST API Security
ReST API SecurityReST API Security
ReST API Security
 
Placer gold mining in alaska
Placer gold mining in alaskaPlacer gold mining in alaska
Placer gold mining in alaska
 
Geology mcq
Geology mcqGeology mcq
Geology mcq
 
The mineral reserves & reserves estimation using triangular methods
The mineral reserves & reserves estimation using triangular methods The mineral reserves & reserves estimation using triangular methods
The mineral reserves & reserves estimation using triangular methods
 

Similar to HTTP/2 in Examples

Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The Things
Balazs Bucsay
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
Balazs Bucsay
 
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
Balazs Bucsay
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
Balazs Bucsay
 
SPDY and HTTP/2
SPDY and HTTP/2SPDY and HTTP/2
SPDY and HTTP/2
Fabian Frank
 
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnel
hacktivity
 
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
Balazs Bucsay
 
XFLTReat: a new dimension in tunnelling
XFLTReat:  a new dimension in tunnellingXFLTReat:  a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
Shakacon
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
Anant Shrivastava
 
Http2 Security Perspective
Http2 Security PerspectiveHttp2 Security Perspective
Http2 Security Perspective
Sunil Kumar
 
Burp suite
Burp suiteBurp suite
Burp suite
Yashar Shahinzadeh
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needles
inaz2
 
What's up with HTTP?
What's up with HTTP?What's up with HTTP?
What's up with HTTP?
Mark Nottingham
 
Hack Your Home Routers
Hack Your Home RoutersHack Your Home Routers
Hack Your Home Routers
Zhongke Chen
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
infodox
 
Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSL
Zoompf
 
What's New in HTTP/2
What's New in HTTP/2What's New in HTTP/2
What's New in HTTP/2
NGINX, Inc.
 
Are we security yet
Are we security yetAre we security yet
Are we security yet
Cristian Vat
 
ekb.py: KISS REST API
ekb.py: KISS REST APIekb.py: KISS REST API
ekb.py: KISS REST API
Yury Yurevich
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
DefconRussia
 

Similar to HTTP/2 in Examples (20)

Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The Things
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
 
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
 
SPDY and HTTP/2
SPDY and HTTP/2SPDY and HTTP/2
SPDY and HTTP/2
 
Balázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a TunnelBalázs Bucsay - XFLTReaT: Building a Tunnel
Balázs Bucsay - XFLTReaT: Building a Tunnel
 
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
 
XFLTReat: a new dimension in tunnelling
XFLTReat:  a new dimension in tunnellingXFLTReat:  a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
Http2 Security Perspective
Http2 Security PerspectiveHttp2 Security Perspective
Http2 Security Perspective
 
Burp suite
Burp suiteBurp suite
Burp suite
 
proxy2: HTTPS pins and needles
proxy2: HTTPS pins and needlesproxy2: HTTPS pins and needles
proxy2: HTTPS pins and needles
 
What's up with HTTP?
What's up with HTTP?What's up with HTTP?
What's up with HTTP?
 
Hack Your Home Routers
Hack Your Home RoutersHack Your Home Routers
Hack Your Home Routers
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
 
Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSL
 
What's New in HTTP/2
What's New in HTTP/2What's New in HTTP/2
What's New in HTTP/2
 
Are we security yet
Are we security yetAre we security yet
Are we security yet
 
ekb.py: KISS REST API
ekb.py: KISS REST APIekb.py: KISS REST API
ekb.py: KISS REST API
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 

Recently uploaded

Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
ToXSL Technologies
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
Paul Brebner
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
The Third Creative Media
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
Sven Peters
 
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptxOperational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
sandeepmenon62
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
ICS
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
Tier1 app
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
kalichargn70th171
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
sjcobrien
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
gapen1
 
What is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdfWhat is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdf
kalichargn70th171
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
Peter Muessig
 
Liberarsi dai framework con i Web Component.pptx
Liberarsi dai framework con i Web Component.pptxLiberarsi dai framework con i Web Component.pptx
Liberarsi dai framework con i Web Component.pptx
Massimo Artizzu
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
Peter Muessig
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
rodomar2
 
Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !
Marcin Chrost
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
ShulagnaSarkar2
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 

Recently uploaded (20)

Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
 
Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...Superpower Your Apache Kafka Applications Development with Complementary Open...
Superpower Your Apache Kafka Applications Development with Complementary Open...
 
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
Unlock the Secrets to Effortless Video Creation with Invideo: Your Ultimate G...
 
Microservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we workMicroservice Teams - How the cloud changes the way we work
Microservice Teams - How the cloud changes the way we work
 
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptxOperational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
Operational ease MuleSoft and Salesforce Service Cloud Solution v1.0.pptx
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
 
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSISDECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
DECODING JAVA THREAD DUMPS: MASTER THE ART OF ANALYSIS
 
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf8 Best Automated Android App Testing Tool and Framework in 2024.pdf
8 Best Automated Android App Testing Tool and Framework in 2024.pdf
 
Malibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed RoundMalibou Pitch Deck For Its €3M Seed Round
Malibou Pitch Deck For Its €3M Seed Round
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
如何办理(hull学位证书)英国赫尔大学毕业证硕士文凭原版一模一样
 
What is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdfWhat is Continuous Testing in DevOps - A Definitive Guide.pdf
What is Continuous Testing in DevOps - A Definitive Guide.pdf
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
 
Liberarsi dai framework con i Web Component.pptx
Liberarsi dai framework con i Web Component.pptxLiberarsi dai framework con i Web Component.pptx
Liberarsi dai framework con i Web Component.pptx
 
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemUI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
UI5con 2024 - Keynote: Latest News about UI5 and it’s Ecosystem
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
 
Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !Enums On Steroids - let's look at sealed classes !
Enums On Steroids - let's look at sealed classes !
 
14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision14 th Edition of International conference on computer vision
14 th Edition of International conference on computer vision
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
 

HTTP/2 in Examples

  • 2. Agenda • Who am I? • What is the problem? • HTTP/2 • Enabled websites • Analyzing HTTP/2 • How do we know a site is using HTTP/2 • Chrome internals • Tools to analyze HTTP/2 • How can we start using HTTP/2?
  • 3. Who am I? @mihailstoynov • Day job: sty.bz • Java • Security audits, web pen testing, sec tools • Training, travelling, • Hobby: jug.bg • Java evangelism -> organizing events • Java patches, writing manuals, early adoption
  • 5. What is the problem? • The CNN homepage has 157 resources: • HTTP/1.0 – allows only one connection per request • This means 157 connections have to be created • HTTP/1.1 has keep-alive • Allows reusing of connections, but it is serial • If one request is slow, others wait • Headers are repeated all the time
  • 6. HTTP/2 history; streams and frames • HTTP/2 began as SPDY • Developed by Google and silently used • Gmail, google.com, … • Became a standard on February 17, 2015 (HTTP/1.1 was born 1997) • HTTP/2 defines streams (bidirectional sequence of data) • One TCP connection can have multiple streams • Streams are not raw, they are typed • The structure inside a stream is called a frame • Frame types: HEADERS, DATA, SETTINGS, PUSH_PROMISE • A request/response in http2 is HEADERS/DATA
  • 7. HTTP/2 enabled websites • twitter.com • facebook.com • technically not http/2 • spdy/3.1 • webtide.com • And of course: • jprime.io • The only one supporting http/2 without encryption (h2c), yey
  • 9. How do we know a site is on HTTP/2? • Browsers don't tell • Developer tools are somewhat helpful • Headers can be a hint
  • 11. How do we know a site is on HTTP/2? • Browser plugins • Yeah, you can install it right now and follow the demos
  • 12. Tools to help analyze http2 traffic • Burp Suite – NO • ZAP – NO • cURL – NO (you have to build it yourself, I tried and gave up) • Wireshark • Wireshark can't mitm ssl, can only read ssl with a private key • Browsers support only strong crypto with http2 • Perfect Forward Secrecy • https://en.wikipedia.org/wiki/Forward_secrecy • Diffie-Hellman key exchange (DHE-RSA, DHE-DSS) • Wireshark is useless in this scenario
  • 13. How can I start using HTTP/2? • https://github.com/http2/http2-spec/wiki/Implementations • Java apps • Tomcat – NO • Undertow - Limited • Jetty - extensive support • Nginx just released 1.9.5 that supports http2 • Apache after 2.4.17
  • 15. https://jprime.io • Supports HTTP/2 • You can test it • Real SSL certificate • Supports protocol ids: h2 • Negotiation: ALPN, NPN, direct • No upgrade supported
  • 16. h2 vs h2c (protocol identifiers) • h2 denotes HTTP/2 over TLS with ALPN for negotiation • h2c denotes cleartext HTTP/2 with direct negotiation • h2-14, h2c-14 – stands for draft 14 • h2-15, h2c-15 – stands for draft 15 • h2-16, h2c-16 – stands for draft 16 • h2-17, h2c-17 – stands for draft 17 • h2, h2c – the official spec impl • SPDY/3.1: Google's first version of the HTTP/2 spec, formed the basis of HTTP/2
  • 17. ALPN • Application-Layer Protocol Negotiation is a TLS extension for protocol resolution • This is how the servers/clients discover http2 (only for ssl) • Example from Chrome (doesn't support h2c):
  • 18. https://jprime.io:8443 (bad cypher) • Supports HTTP/2 • You can test it • Real SSL certificate • Supports protocol ids: h2 • Negotiation: ALPN, NPN, direct • No upgrade • Bad cyphers in this example • ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3- SHA:RC4-MD5;
  • 19. TLS 1.2 Cypher Suites • A deployment of HTTP/2 over TLS 1.2 SHOULD NOT use any of the cipher suites that are listed in the cipher suite black list • https://http2.github.io/http2-spec/#BadCipherSuites
  • 20. http://jprime.io:81 (h2c) • Try it – it fails • The browsers refuse http/2 without ssl (h2c) • Firefox shows garbage result • Chrome downloads a binary file
  • 21. The h2c client • Jetty supports h2c and can act as a client • we can write a small client app • And sniff the data with wireshark
  • 23. Direct or Upgrade • When no TLS, HTTP/2 is discovered: • Upgrade header from client • Server switches to http2 in the same connection (note the h2c)
  • 24. Direct or Upgrade • Direct (we "know" there is http2) • Then we directly do the HTTP/2 Connection Preface • Final confirmation of the protocol in use and to establish the initial settings for the HTTP/2 connection • The purpose of the connection preface is to stop http/1.1 servers from sending data in case of error
  • 25. A typical request/response • Client: MAGIC (connection preface), SETTINGS • Client: HEADERS http1: req.headers • Server: SETTINGS, WINDOW_UPDATE • Client: SETTINGS • Server: HEADERS http1: res.headers • Server: DATA http1: res.body • Server: DATA • Server: DATA • Server: DATA • Client: GOAWAY
  • 27. Jetty • Jetty • java -jar $JETTY_HOME/start.jar --add-to-startd=http,https,deploy • java -jar $JETTY_HOME/start.jar --add-to-startd=http2,http2c • java -jar $JETTY_HOME/start.jar
  • 28. Q&A Article and examples WILL be available at mihail.stoynov.com