[robocat]

Thanks for the comments.

I don't see that using HTTP/2 is realistic.

(a) Are you saying that using HTTP/2 from the browser makes headers in your infrastructure secure?

(b) Some of our enterprise clients use security proxies (e.g. Cisco WSA) which do not support HTTP/2 and force connections from the browser to use HTTP1.1. Aside: Cisco WSA is super crappy: we have recorded a repeatable corruption that passed information between HTTPS sessions (It was a obsolete device so we didn't report it to Cisco or the client - but I would bet good money there are plentiful major security flaws with Cisco WSA).

(c) If you are suggesting using HTTP/2 between frontend and backend, that seems unrealistic to implement.

From other thread:

> If you have a front-end and a back-end, and they talk to eachother using HTTPS, that's exploitable

I couldn't understand how - surely packets would be completely broken (how can you append a valid packet to an HTTPS request, or get a valid HTTPS reply to an another connection?)

Perhaps a spiffy name, an icon, and a cool website would give this more visibility HAHA!

PS: I am surprised this isn't getting more attention on HN - it seems like a really fatal security issue that will affect heaps of sites - oh well.

[albinowax_]

I'm suggesting using HTTP/2 between the frontend and backend. I'm saying this is the only reliable fix, not that it's easy to implement.

Regarding HTTPS between the frontend and backend, remember that's just HTTP over a TLS stream instead of TCP. As long as the frontend still reuses these TLS streams, it's exploitable. To be clear, this is in a scenario where the front-end terminates the HTTPS connection from the client then routes requests over a pool of persistent HTTPS connections to the backend. Does that make sense? Since I've been exploiting this from a black-box perspective, I can't really tell for sure whether I've successfully exploited any websites actually doing this.

And yeah it would have been nice of this had done better on HN but between presenting it at two major security conferences and adding automated detection to a popular web scanner, it ought to achieve decent awareness over the next few months. Hopefully.