Passive Fingerprinting of HTTP/2 Clients. presented at codeblue 2017

by Ory Segal,

Summary : HTTP/2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred “on the wire” by introducing a full binary protocol that is made up of TCP connections, streams, and frames, rather than a plain-text protocol. Such a fundamental change from HTTP/1.x to HTTP/2, means that client-side and server-side implementations have to incorporate completely new code in order to support new HTTP/2 features. This introduces nuances in protocol implementations, which, in return, might be used to passively fingerprint web clients.
Our research is based on more than 10 million HTTP/2 connections from which we extracted fingerprints for over 40,000 unique user agents across hundreds of implementations.
In the presentation, we intend provide the following:
*HTTP/2 Overview
- Introduction into the basic elements of the protocol
- a review the different components chosen for the fingerprint format (alongside a discussion on those left out)
- Potential use cases of the proposed fingerprint
- Usage Statistics - prevalence of HTTP/2 usage on Akamai’s platform
*Examples of common HTTP/2 Implementations & Client fingerprints collected during the research
*HTTP/2 support (or the lack of) among common web security tools (Burp suite, sqlmap, etc.)
*Review of attacks over HTTP/2 observed on Akamai’s platform