Vulnarex | Elite Cybersecurity Learning Platform

#Beyond the Request-Response: Modernizing the Stream#link

HTTP/1.1 was slow and synchronous. To speed up the web, HTTP/2 and HTTP/3 were introduced. While they primarily focus on performance, they introduce new architectural patterns that change the attack surface of HTTPS.

HTTP/2: Multiplexing and HPACK

HTTP/2 introduced 'Multiplexing', allowing multiple requests to be sent over a single TCP connection simultaneously. However, this introduced a new attack vector: 'HTTP/2 Stream Multiplexing' can be abused to create Denial of Service (DoS) attacks by flooding the server with thousands of streams.

info

💡 HTTP/2 also uses HPACK for header compression. Because headers (like cookies) are repetitive, HPACK compresses them to save bandwidth.

STRICT SECURE AUDIT RULE

⚠️ HPACK is vulnerable to 'Compression Side-Channel' attacks similar to CRIME. If an attacker can control part of a header, they can observe the size of the compressed packet to guess the value of a secret cookie.

bash

# Checking if a server supports HTTP/2
curl -I --http2 https://google.com

Note that while the HTTP/2 spec allows for non-encrypted connections (h2c), almost every browser in existence requires HTTP/2 to be used over TLS (h2). This effectively makes TLS mandatory for the modern web.

HTTP/3 and the Shift to QUIC

HTTP/3 is a radical departure. It replaces TCP with **QUIC**, a protocol built on top of UDP. QUIC integrates the TLS 1.3 handshake directly into its own connection process, removing the 'TCP + TLS' double-handshake. This makes the connection significantly faster.

callout

The key security change in HTTP/3 is that TLS is no longer an 'option' or a 'wrapper'—it is baked into the very fabric of the QUIC protocol. You cannot have HTTP/3 without encryption.

Feature	HTTP/1.1	HTTP/2	HTTP/3 (QUIC)
Transport	TCP	TCP	UDP
Handshake	TCP $ ightarrow$ TLS	TCP $ ightarrow$ TLS	QUIC (Integrated TLS 1.3)
Concurrency	Sequential	Multiplexed	Stream-level Multiplexed
Security	Optional HTTPS	Mandatory TLS (Browsers)	Baked-in TLS 1.3

New Attack Vectors in QUIC

Because HTTP/3 uses UDP, it is more susceptible to 'Amplification Attacks'. An attacker can spoof the source IP of a QUIC packet, causing the server to send a large response to a victim's IP. To mitigate this, QUIC servers must implement 'Address Validation' tokens.

▪Enable UDP port 443 for HTTP/3
▪Implement QUIC amplification limits
▪Update load balancers to support UDP-based traffic
▪Monitor for 'Rapid Reset' attacks in HTTP/2 streams

STRICT SECURE AUDIT RULE

Many corporate firewalls still block all UDP traffic except DNS. This means HTTP/3 often fails, and the browser falls back to HTTP/2 over TCP.

quiz BLOCK (★ 50 XP)

What is the primary security advantage of HTTP/3's integration of TLS 1.3 into QUIC?

Select your proof vectors above

challenge BLOCK (★ 100 XP)

The Firewall Paradox