An Investigation on HTTP/2 Security

Authors

  • Meenakshi Suresh TIFAC-CORE in Cyber Security, Amrita School of Engineering, Coimbatore, Amrita Vishwa Vidyapeetham, India
  • P. P. Amritha TIFAC-CORE in Cyber Security, Amrita School of Engineering, Coimbatore, Amrita Vishwa Vidyapeetham, India
  • Ashok Kumar Mohan TIFAC-CORE in Cyber Security, Amrita School of Engineering, Coimbatore, Amrita Vishwa Vidyapeetham, India
  • V. Anil Kumar CSIR Fourth Paradigm Institute (CSIR-4PI), Bangalore, India

DOI:

https://doi.org/10.13052/2245-1439.7112

Keywords:

HTTP, HTTP/2, SPDY, Server Push, HPACK

Abstract

In the current world scenario where everyone is using the Internet, it is becoming a strenuous task to preserve security. Furthermore the world is becoming progressively digital by the passing of each minute.Alarge portion of the Internet is conducted using the Hyper Text Transfer Protocol (HTTP). But in 2015, it underwent a consequential enhancement and was released as HTTP/2. HTTP/2 includes pipelining, response multiplexing, server push and header compression using HPACKbesides the properties of HTTP/1.1. These properties make it difficult for the eavesdroppers to monitor or fingerprint a website running on HTTP/2. This paper deals with the research on how strong the HTTP/2 protocol keeps the user information hidden and secure. By monitoring a live network traffic, its properties with HTTP/2 is assessed. This study helps understand the different aspects of the protocol and its influence on the network and browsers.

 

Downloads

Download data is not yet available.

Author Biographies

Meenakshi Suresh, TIFAC-CORE in Cyber Security, Amrita School of Engineering, Coimbatore, Amrita Vishwa Vidyapeetham, India

Meenakshi Suresh is pursuing her M.Tech in Cyber Security from Amrita University and will graduate in 2018. She attended TocH Institute Of Science and Technology from where she received her B.Tech in Computer Science. Her current area of research is Networks and

P. P. Amritha, TIFAC-CORE in Cyber Security, Amrita School of Engineering, Coimbatore, Amrita Vishwa Vidyapeetham, India

P. P. Amritha received her M.Tech. in Cyber Security from Amrita University. She is now a PhD scholar at Amrita University. Her current research interests include: Steganography and Code Obfuscation.

Ashok Kumar Mohan, TIFAC-CORE in Cyber Security, Amrita School of Engineering, Coimbatore, Amrita Vishwa Vidyapeetham, India

Ashok Kumar Mohan, M. Tech specialized in Cyber Security, is a Research Associate at TIFAC-CORE in Cyber Security, Amrita Vishwa Vidyapeetham, Coimbatore, Tamil Nadu, India. He is currently a PhD scholar doing his research in the area of Cyber Forensics funded by Ministry of Electronics & Information Technology (Government of India) under Visvesvaraya PhD scheme for Electronics and IT. He is currently pursuing his research over the cyber security core vicinity in Metadata Forensics, Wireless Security Auditing, Rumor Prediction in Social Media Networks and Slack Space Analysis of NTFS File Systems. He is also the Certified EC-Council Instructor (CEI) for ethical hacking and penetration testing certification courses at the research centre.

V. Anil Kumar, CSIR Fourth Paradigm Institute (CSIR-4PI), Bangalore, India

V. Anil Kumar is a Principal Scientist at CSIR Fourth Paradigm Institute (CSIR-4PI), Bangalore, India. His research interests are Cyber Security, High Performance Computing and Protocol Engineering. He has about 25 research papers in international journals and conference proceedings. He has filed one International and two Indian patents on security aspects of transport protocols. He received DAAD Fellowship from German Academic Exchange Service and subsequently worked at Fraunhofer Institute for Open Communication system, Germany during 2002–2004. From 2009 to 2010, he was with French National Research Institute in Computer Science and Control (INRIA), France as Senior Expert Engineer. He has worked on a large European Union Project called OneLab2 to establish a geographically distributed and federated network testbed. He was one of the project leaders for establishing a supercomputing facility, which was ranked no. 1 in India and 58th fastest in the world, as per the June 2012 list of top500 supercomputers. He also received Internet Society (ISOC) to participate in the 95th Internet Engineering Task Force (IETF) meeting.

References

Berners-Lee, T., Fielding, R., and Frystyk, H. (1996). Hypertext transfer protocol–HTTP/1.0 (No. RFC 1945).

Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and Berners-Lee, T. (1999). Hypertext transfer protocol–HTTP/1.1 (No. RFC 2616).

Rescorla, E. (2000). RFC 2818, HTTP Over TLS. Internet Engineering Task Force. May 2000.

Hodges, J., Jackson, C., and Barth, A. (2012). Http strict transport security (hsts) (No. RFC 6797).

Belshe, M., Thomson, M., and Peon, R. (2015). Hypertext transfer protocol version 2 (http/2).

Peon, R., and Ruellan. H. (2015). RFC 7541, HPACK: Header Compression for HTTP/2. Internet Engineering Task Force. May 2015.

Adi, E. (2017). Denial-of-service attack modelling and detection for HTTP/2 services. Doctorates and Masters Theses, Edith Cowan University, 2017.

Hacker Intelligent Initiative HTTP/2:In-depth analysis of the top four flaws of the next generation web protocol. Red Hat conference Publication By Imperva Defense Center, 2016.

Tripathi, N., and Hubballi, N. (2018). Slow rate denial of service attacks against HTTP/2 and detection. Computers & Security, 72, 255–272.

Corbel, R., Stephan, E., and Omnes, N. (2016, July). HTTP/1.1 pipelining vs HTTP2 in-the-clear: Performance comparison. In 2016 13th International Conference on New Technologies for Distributed Systems (NOTERE), (pp. 1–6).

Jackson, B. (2017). HTTP/2 Statistics KeyCDN Report on HTTP/2 Distribution. Available at: https://www.keycdn.com/blog/http2-statistics/

Winkel, S. (2015). Network Forensics and HTTP/2 SANS Institute InfoSec Reading Room, December 2015.

Binu, P. K., Sreekutty, H. L., and Sreekutty, V. S. (2016). Security plugin for Mozilla which integrates cryptography and steganography features. In 2016 IEEE International Conference on Computational Intelligence and Computing Research (ICCIC), (pp. 1–6).

de Saxcé, H., Oprescu, I., and Chen, Y. (2015). Is HTTP/2 really faster than HTTP/1.1. In 2015 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), (pp. 293–299).

Wang, S., Xu, D., and Yan, S. (2010). Analysis and application of Wireshark in TCP/IP protocol teaching. In 2010 International Conference on E-Health Networking, Digital Ecosystems and Technologies (EDT), (Vol. 2, pp. 269–272).

Newmarch, J. (2017). Network Programming with Go: Essential Skills for Using and Securing Networks. Apress. (8)137–160, 2017.

Varvello, M., Schomp, K., Naylor, D., Blackburn, J., Finamore, A., and Papagiannaki, K. (2016). Is the web http/2 yet?. In International Conference on Passive and Active Network Measurement (pp. 218–232). Springer, Cham.

CVE-2016-0150. In. Vulnerability Information HTTP.sys Denial of Service Vulnerability, 2016

CVE-2016-1546 In. low: mod http2: denial of service by thread starvation, 2016.

Cui, Y., Li, T., Liu, C., Wang, X., and K’hlewind, M. (2017). Innovating transport with QUIC: Design approaches and research challenges. IEEE Internet Computing, 21(2), 72–76.

Sreedhanya, A. V., and Soman, K. P. (2012). Secrecy of cryptography with compressed sensing. In 2012 International Conference on Advances in Computing and Communications (ICACC), (pp. 207–210).

Bakri, H., Allison, C., Miller, A., and Oliver, I. (2015). HTTP/2 and QUIC for Virtual Worlds and the 3D Web. Procedia Computer Science, 56, 242–251.

Downloads

Published

2018-01-04

How to Cite

1.
Suresh M, Amritha PP, Mohan AK, Kumar VA. An Investigation on HTTP/2 Security. JCSANDM [Internet]. 2018 Jan. 4 [cited 2024 Nov. 25];7(1-2):161-80. Available from: https://journals.riverpublishers.com/index.php/JCSANDM/article/view/5291

Issue

2018: Vol 7 Iss 1-2

Section

Articles