Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop

Categories

In this Discussion

Home General
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Mass Exploits of HTTP/1.1 Start Wednesday

raindog308raindog308 Administrator, Veteran
in General

Or so a security researcher claims/threatens. HTTP/1.1 still powers about 1/3 of the Internet.

The issue is the request smuggling attack, which HTTP/1.1 is vulnerable to.

https://lowendbox.com/blog/one-third-of-the-web-will-stop-working-in-4-days-massive-scale-cdn-compromise-starts-wednesday/

Thanked by 5xemaps qbit15 JohnnySac truemagic ariq01

Comments

  • qbit15qbit15 Member

    Wow that's bad. I am hearing first time about this.

  • Ed_ChdEd_Chd Member

    What are the known affected servers though...

  • cmeerwcmeerw Member

    @raindog308 said: HTTP/1.1 still powers about 1/3 of the Internet.

    Aehh... what does that mean? Maybe that about 1/3 of the http servers out there only support HTTP/1.1 (and not anything newer)? I'd argue that almost 100% of http servers support HTTP/1.1. So why not use that figure then? Would sound even more alarming then.

    Why would a http server supporting HTTP/2.0 not be affected when it has to handle a HTTP/1.1 request? And are all HTTP/1.1-only web servers behind a reverse proxy? (otherwise, there won't be any request smuggling anyway)

  • truemagictruemagic Member

    So what's going to happen? Interesting to see 1/3 internet blackout, let's go out and enjoy life!

  • jsgjsg Member, Resident Benchmarker

    @raindog308 said:
    Or so a security researcher claims/threatens. HTTP/1.1 still powers about 1/3 of the Internet.

    The issue is the request smuggling attack, which HTTP/1.1 is vulnerable to.

    https://lowendbox.com/blog/one-third-of-the-web-will-stop-working-in-4-days-massive-scale-cdn-compromise-starts-wednesday/

    I recommend to read - and understand - @raindog308's linked LEB article (plus maybe Ted Unangst's article).

    Why? Because I feel that this OP's title is somewhat misleading. Actually it's about a combination of at least 3 factors:

    • a CDN or proxy (and a deranged one at that)
    • a POST request
    • a (final) http server that does header evaluation different from the front-end (which in itself is unhealthy and bad)

    So, only a not so widespread constellation of factors allows that attack vector.

    Thanked by 2xemaps raindog308
Sign In or Register to comment.