back to article HTTP/2, Brute! Then fall, server. Admin! Ops! The server is dead

On Tuesday, Netflix, working in conjunction with Google and CERT/CC, published a security advisory covering a series of vulnerabilities that enable denial of service attacks against servers running HTTP/2 services. HTTP/2, like earlier versions, governs the application layer of the internet stack; it runs atop the transport …

  1. DJV Silver badge

    Jonathan Looney of Netflix

    I'm sorry, but that name just creased me up!

  2. Tom Paine Silver badge


    You should totally have a virtual tipjar on Crowdfunder or whatever to get a few beers in for your sub(s) or whoever writes the headlines. "Then fall server!" It's the TavisO of headline writing.

  3. Tom Paine Silver badge


    Please do set up a crowndfunder to get a few beers in for your sub(s) or whoever writes the headlines. That one's a work of art.

  4. iron Silver badge

    But... but... Google designed HTTP/2 to be secure!


    1. sitta_europea Bronze badge


      But... but... Google designed HTTP/2 to be secure!


      Given the list of CVEs I'm not sure that there can even have been a requirements specification.

      Seems to me that some^H^H^H^Heverybody in the design department needs to go back to school.

    2. DougS Silver badge

      They designed it to be more efficient at delivering ads. Resistance to DoS attacks wasn't a consideration.

      1. Anonymous Coward
        Anonymous Coward

        After all, Resistance is Futile.

    3. Adam 1 Silver badge

      Absolutely no one who isn't authorized can even access it. How much more secure can it be?

  5. Claptrap314 Silver badge

    Any client doing any of these things

    should be blacklists & reported upstream to blacklists.

    1. LeahroyNake Bronze badge

      Re: Any client doing any of these things

      Good idea until...

      My Netflix is not working.

      You have a virus that is attacking our servers.

      No I don't.

      Yes you do.

      Cancels subscription because everything else works OK.

      The virus turns out to be a pawned router, rougue client on WiFi, random user on public / cloud AP, a dodgy app on a mates phone that you allowed to connect, the previous holder of the IP address dynamically assigned by your ISP etc.

  6. ravenstar68

    Someone really needs a refresher.

    I really dislike the wording of parts of this article.

    HTTP and HTTP 2 do not “govern the application layer of the network stack”.

    1. Michael Wojcik Silver badge

      Re: Someone really needs a refresher.

      Nor is TCP "the transport layer" or IP "the network layer".

      The OSI model does not fit TCP/IP well. It doesn't fit anything well, except rump OSI implementations such as ISODE.

      More importantly, if a reader doesn't know what HTTP/2 is, the sort of handwaving gloss that's used in the article will be no help whatsoever. It's neither correct nor usefully incorrect.

  7. Michael Wojcik Silver badge

    Hardly a surprise

    HTTP/1.1 is a badly stovepiped protocol - but then most communications protocols are, because protocol design is difficult. Also, new protocols have to be relatively uncomplicated to get traction, which inevitably means that if they become popular they'll see new use cases and feature creep which complicate the original design.

    HTTP/2, on the other hand, is a ghastly mess from the ground up. It was rushed through the IETF to jump on a Google bandwagon (or, if you prefer, to try to pull the standardization reins on a runaway Google horse). I followed some of the HTTPbis mailing list discussions for a while, but they were too depressing to continue with. All other concerns sacrificed on the alter of pushing more "content". It's almost enough to make me miss SNA.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019