Passive Fingerprinting of HTTP/2 Clients
Elad Shuster at AppSec USA 2017
HTTP/2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred “on the wire” by introducing a full binary protocol that is made up of TCP connections, streams, and frames, rather than a plain-text protocol. Such a fundamental change from HTTP/1.x to HTTP/2, means that client-side and server-side implementations have to incorporate completely new code in order to support new HTTP/2 features. This introduces nuances in protocol implementations, which, in return, might be used to passively fingerprint web clients.
Our research is based on more than 10 million HTTP/2 connections from which we extracted fingerprints for over 40,000 unique user agents across hundreds of implementations.
In the presentation, I intend provide the following:
• HTTP/2 Overview
- Introduction into the basic elements of the protocol
- a review the different components chosen for the fingerprint format (alongside a discussion on those left out)
- Potential use cases of the proposed fingerprint
- Usage Statistics - prevalence of HTTP/2 usage on Akamai’s platform
• Examples of common HTTP/2 Implementations & Client fingerprints collected during the research
• HTTP/2 support (or the lack of) among common web security tools (Burp suite, sqlmap, etc.)
• Review of attacks over HTTP/2 observed on Akamai’s platform
References:
http://akamai.me/2qWIqON - whitepaper published by Akamai’s Threat-Research Team.
Elad Shuster
Security Data Analyst, Akamai
CPA(il), MBA, Security Data Analyst at Akamai, with over 10 years of experience in data analysis across different industries.
Our research is based on more than 10 million HTTP/2 connections from which we extracted fingerprints for over 40,000 unique user agents across hundreds of implementations.
In the presentation, I intend provide the following:
• HTTP/2 Overview
- Introduction into the basic elements of the protocol
- a review the different components chosen for the fingerprint format (alongside a discussion on those left out)
- Potential use cases of the proposed fingerprint
- Usage Statistics - prevalence of HTTP/2 usage on Akamai’s platform
• Examples of common HTTP/2 Implementations & Client fingerprints collected during the research
• HTTP/2 support (or the lack of) among common web security tools (Burp suite, sqlmap, etc.)
• Review of attacks over HTTP/2 observed on Akamai’s platform
References:
http://akamai.me/2qWIqON - whitepaper published by Akamai’s Threat-Research Team.
Elad Shuster
Security Data Analyst, Akamai
CPA(il), MBA, Security Data Analyst at Akamai, with over 10 years of experience in data analysis across different industries.