• HTTP/2 • Enabled websites • Analyzing HTTP/2 • How do we know a site is using HTTP/2 • Chrome internals • Tools to analyze HTTP/2 • How can we start using HTTP/2?
homepage has 157 resources: • HTTP/1.0 – allows only one connection per request • This means 157 connections have to be created • HTTP/1.1 has keep-alive • Allows reusing of connections, but it is serial • If one request is slow, others wait • Optimizations: image sprites, domain sharding, concatenating js/css, inlining css/js • Headers are repeated for every request (and sometimes they are as big as 1kb)
latency transport of content • One of the goals is: there should be no change for web developers • Key features: • One connection per domain • Multiplexing – multiple Streams over the same connection. • Header compression – reuse previous headers • Server push – the server pushes stuff before the client even requests it • Prioritization – some resources can be more important than others
you used Chrome • HTTP/2 began as SPDY • Developed by Google and silently used since 2009/2010 • Became a standard on February 17, 2015 (HTTP/1.1 was born 1997) • 18 YEARS after HTTP/1.1 • Currently used by • Gmail, google.com • twitter, facebook • wikipedia (still uses spdy) • And of course our community site: https://jprime.io
data) • One TCP connection can have multiple streams • Streams are not raw, they are typed • The structure inside a stream is called a frame • Frame types: HEADERS, DATA, SETTINGS, PUSH_PROMISE • A request/response in http2 is HEADERS/DATA
NO • ZAP – NO • cURL – NO (you have to build it yourself, I tried and gave up) • Wireshark • Wireshark can't mitm ssl, can only read ssl with a private key • Browsers support only strong crypto with http2 • Perfect Forward Secrecy • (if you have the private key, you cannot decrypt old data) • https://en.wikipedia.org/wiki/Forward_secrecy • Diffie-Hellman key exchange (DHE-RSA, DHE-DSS) • Wireshark is useless in this scenario
apps • Tomcat – NO • Undertow - Limited • Jetty - extensive support • Nginx 1.9.5 has an "experimental" http2 module • Nginx Plus supports PUSH • Apache after 2.4.17 (my hosting provider is not using it, so no luck yet)
TLS with ALPN for negotiation • h2c denotes cleartext HTTP/2 with direct negotiation • h2-14, h2c-14 – stands for draft 14 • h2-15, h2c-15 – stands for draft 15 • h2-16, h2c-16 – stands for draft 16 • h2-17, h2c-17 – stands for draft 17 • h2, h2c – the official spec impl • SPDY/3.1: Google's first version of the HTTP/2 spec, formed the basis of HTTP/2
it • Real SSL certificate • Supports protocol ids: h2 • Negotiation: ALPN, NPN, direct • No upgrade • Bad cyphers in this example • ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
• Then we directly do the HTTP/2 Connection Preface • Final confirmation of the protocol in use and to establish the initial settings for the HTTP/2 connection • The purpose of the connection preface is to stop http/1.1 servers from sending data in case of error
is a way to tell the browser to export the pre secret key • We can use this technique to any site • without the site's private key • without changing anything (no MITM) $ export SSLKEYLOGFILE=$PWD/http2/firefox.sslkeylogfile.txt $ /Applications/Firefox.app/Contents/MacOS/firefox • Then we give this key to wireshark and wireshark can decrypt • Wireshark -> Preferences -> Protocols -> SSL -> (Pre)-Master-Secret log filename • Then we can decode the SSL and then read the HTTP2
speed difference • https://http2.akamai.com/demo • For us (nginx in front of tomcat) it means • Less connections • No push yet, unfortunately • Faster delivery of resources • If we have time, we'll move to jetty, but that's a change for DEVs • Now they don't know anything about
rigadevday
deanohume
csswizardry
michielstock
matthewcrist
samtorres
cassininazir
speakerdeck
skipperchong
portentint
mayunak
jacobtomlinson
marketingsoph
