1

As a measure for speeding up of webpage loading times i recommended to switch over from HTTP1.1 to HTTP/2 protocol. And just today, firtsly in my experience since HTTP/2 rising, i've heard as the argumentation for non-switching to HTTP/2, that

HTTP/2 would be not secure enough and would have such weighty security issues, that they make any speed boost not worthy.

As the source of those thinking i've got this article.

My state of information doesn't allow me to judge about how weighty are riscs, mentioned in this article. I could suppose, that they are from pretty rare nature - it is just a guess, based on my own monitoring of special media about website performance, which could be (very) holey.

Could somebody explain me:

  • what is in general about security issues of HTTP/2?
  • are these issues enough cause to not to switch to HTTP/2?
Evgeniy
  • 255
  • 2
  • 10
  • That document is from 2016. I don't believe the security issues mentioned there are still relevant today. I don't think HTTP/2 is insecure as the major players are all moving towards it (FB, Google...) – Tommiie Jan 07 '19 at 15:22
  • That document is outdated, and also that quote does not appear anywhere in it. – Michael Hampton Jan 07 '19 at 15:39
  • @MichaelHampton the quote is not from the doc, but from the person, who was talking to me. – Evgeniy Jan 07 '19 at 15:47

1 Answers1

2

HTTP2 is new so may well have security issues. More likely to do with bad implementations than the protocol itself.

HTTP/1.1 is old and battle tested. And definitely has issues, despite this. Some of these are vulnerabilities in the protocol (e.g. being text based rather than binary based it is possible to use HTTP header splitting/ header smuggling to fool web servers) and many more are due to implementations.

So I would say neither is secure. Neither is anything online. Nor walking out of your house :-)

I don’t think security concerns are a reason to hold off upgrade to HTTP/2 and in many ways (see example above) it is MORE secure than HTTP/1.1. Saying that the main aim of HTTP/2 was to improve performance not security.

Barry Pollard
  • 4,591
  • 15
  • 26