Multiple vulnerabilities in httpv2 proto

[bobykus]

HTTP/2: Imperva Hacker Intelligence Initiative Report Reveals Four High-Profile Flaws in the Latest Version of the Worldwide Web’s Underlying Protocol

http://investors.imperva.com/phoenix.zhtml?c=247116&p=irol-newsArticle&ID=2192322


Wonder how litespeed deal with such? Any plans for defense?

 

[mistwang]

I wonder why they left Litespeed out, we have at least more than 20% of HTTP/2 market share, if exclude contribution from CloudFlare, we are about head to head with nginx. Instead, they test some non-production ready/toy HTTP/2 servers.

By design, HTTP/2 may be vulnerable to some kind of resource abusing attack, as the connection has long keep-alive timeout, HTTPS connections are more resource intensive than regular HTTP connections, but, not likely any one can change that.

Back to the attack scenarios, only possible attack to LiteSpeed is the slow read attacks that use for taking down nginx. we will do some fine adjustment to prevent that from happening, at least, make it a lot hard to exploit it.