{"title":"Depending on HTTP/2 for Privacy? Good Luck!","authors":"Gargi Mitra","doi":"10.1109/dsn-s50200.2020.00036","DOIUrl":null,"url":null,"abstract":"The new multi-threaded server operation feature in HTTP/2 results in multiplexed object transmission. This obfuscates the sizes of the encrypted objects, based on which passive network eavesdroppers inferred sensitive information. Therefore, recent works speculate that HTTP/2 can have an unanticipated positive effect on communication privacy in addition to the privacy provided by TLS/SSL. Orthogonal to these works, we show that it is possible for an on-path passive eavesdropper to completely break the privacy offered by the schemes that leverage HTTP/2 multiplexing. Our adversary works based on the following intuition: restricting only one HTTP/2 object to be in the server queue at any point of time will eliminate multiplexing of that object and any privacy benefit thereof. Our adversary achieves this by altering network parameters such as jitter, bandwidth and packet drop rate to ensure that no new client request reaches the server while it is serving a previously requested object. Our adversary was able to break the privacy of a real-world HTTP/2 website 90% of the time. To the best of our knowledge, this is the first privacy attack on HTTP/2.","PeriodicalId":419045,"journal":{"name":"2020 50th Annual IEEE-IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S)","volume":"26 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 50th Annual IEEE-IFIP International Conference on Dependable Systems and Networks-Supplemental Volume (DSN-S)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/dsn-s50200.2020.00036","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0
Abstract
The new multi-threaded server operation feature in HTTP/2 results in multiplexed object transmission. This obfuscates the sizes of the encrypted objects, based on which passive network eavesdroppers inferred sensitive information. Therefore, recent works speculate that HTTP/2 can have an unanticipated positive effect on communication privacy in addition to the privacy provided by TLS/SSL. Orthogonal to these works, we show that it is possible for an on-path passive eavesdropper to completely break the privacy offered by the schemes that leverage HTTP/2 multiplexing. Our adversary works based on the following intuition: restricting only one HTTP/2 object to be in the server queue at any point of time will eliminate multiplexing of that object and any privacy benefit thereof. Our adversary achieves this by altering network parameters such as jitter, bandwidth and packet drop rate to ensure that no new client request reaches the server while it is serving a previously requested object. Our adversary was able to break the privacy of a real-world HTTP/2 website 90% of the time. To the best of our knowledge, this is the first privacy attack on HTTP/2.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
