About 34% of the web is still powered by HTTP/1.1 and that protocol will likely come under severe attack starting on Wednesday. Get a preview of what’s in store for the latest security headache.
First comment on the post:
James Kettle: Hi, I’m the author of this research. It’s great to see interest and I can promise some quality research and a strong argument to kill HTTP/1.1 but the headline of this article goes a bit too far. The specific CDN vulnerabilities have been disclosed to the vendors and patched (hence the past tense in the abstract) – I wouldn’t drop zero day on a CDN! That said I do expect to see fresh critical CDN vulnerabilities in future – hopefully found by a white hat!
Blogs and misreporting research to drive clicks
Name a more iconic combo
If we know about these attacks, then the bad guys know too. Even if they weren’t yet given the details they’ve been told where to look and could quickly figure them out. Why then would they wait until Wednesday to start attacking? We have to assume they’re already attacking, and 1/3 of the web has not gone down.
Besides, the author of the research says the vulnerabilities have been disclosed to CDN providers and patched already. So it’s a significant discovery but the headline is doubly silly.
I remember people on IRC doing something similar to Cloudflare years back. Using a malformed HTTP header to get a server’s real host IP. It didn’t give you admin panel access or anything like this does, but you could deanonymize sites.
And to sit on this for 6 years?! I don’t even know what to say about that…
Y2K energy
