HTTP/1.1 Security News: What You Can Do Now

Have you read how “HTTP/1.1 Must Die” and curious what this means? In this quick article we’ll give you the info you need to make a decision of how impacted you may be and what you can do about it.

What is HTTP/1.1?

The web is accessed and delivered via the Hypertext Transfer Protocol (HTTP). Like most software HTTP has been iterated over and improved upon over time. You are most likely familiar with HTTPS which adds Transport Layer Security (TLS) on top of HTTP and ensures that only you and the website you are accessing can see the contents of the webpage.

HTTP version 1.1 (HTTP/1.1) was introduced in 1997 and has been a staple of the web ever since. A new and improved version HTTP/2 was released in 2015 and brought many security improvements to the core protocol of the web. Browsers and web servers didn’t immediately jump to use or even support this newer HTTP/2, and to this day many websites and servers still operate on HTTP/1.1.

This year Portswigger released a white paper detailing vulnerabilities within HTTP/1.1 that have continually failed to be sufficiently patched and that leave websites vulnerable to exploits such as HTTP Request Smuggling and more.

The Issue With HTTP/1.1

The recent panic over HTTP/1.1 comes from a core issue with HTTP/1.1 that can cause ambiguity in the HTTP request boundaries. This can allow HTTP desync attacks (also known as request smuggling) that could disclose data intended for one recipient to another.

Some of the issues that these desync attacks can cause are:

• Users logging into another users’ account
• Cache poisoning with malicious JavaScript
• Sensitive information disclosed to another user

Is this a problem today?

While most browsers and web servers today fully support HTTP/2, there are still some legacy systems that do not. This has caused many vendors and organizations to still support HTTP/1.1 for public connections to web servers. Some organizations that use Web Application Firewalls (WAF) may support HTTP/2 at the end-user’s connection, but the connection from the WAF provider to their origin server still falls back to HTTP/1.1.

This is where most of the concern comes from: websites from well-known brands to small organizations that run websites they believe are secure because they use a WAF when they are really still vulnerable to these issues.

The Solution

Thankfully the solution is pretty simple. Ensure your origin web servers are configured to support HTTP/2, which mitigates these issues. If legacy systems still cannot understand HTTP/2 and must use HTTP/1.1, you should keep these systems isolated to internal or segregated networks.

If you cannot upgrade a server to support HTTP/2 then you should be monitoring these servers and consider scanning your servers with HTTP Request Smuggler v3.0. This will give you a heads up if your systems are vulnerable and exploitable.