-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTTP/2 frames are serialised one per TLS record #32924
Comments
Ping @jasnell |
This is weird, #27861 solved this exact problem... This seems like a regression.
TLS sockets should support |
Interesting. Worth looking at again. It's possible that this ended up being resolved since the issue was reported. Likely worth retesting and/or backporting if it hasn't been. (I don't know offhand if it has or hasn't) |
Great! |
#27861 was released on v12.4.0 at June and this bug was reported on September. I think it's safe to assume the bug is fixed, is there anything left to do before we can close this? |
[ previously reported on HackerOne and judged to be low enough severity to open here ]
Summary: NodeJS's HTTP/2 client serialises each HTTP/2 request in a separate TLS record, exposing information to attackers performing traffic analysis.
Description: One of the design goals of HTTP/2 is to make traffic analysis more difficult, by multiplexing multiple requests on the same connection. However, NodeJS's HTTP/2 client side appears to send each request (HEADERS frame) in a separate TLS record, which makes this delineation -- and importantly, the sizes of the requests) -- apparent to observers on the network.
Steps To Reproduce:
Impact: makes the lives of traffic analysis attackers easier. While NodeJS isn't a browser, it's used by a broad variety of applications, and I'd be a bit surprised if someone somewhere wasn't using it as a client in a situation where this wasn't a risk.
In particular, this information could be used to observe the differences in the sizes of requests, thereby allowing an attacker to "fingerprint" the activity more accurately.
This information could also be used by an attacker to more effectively perform attacks like CRIME, BEAST, etc.
Supporting Material/References:
See attached tarball containing a demo client and server - nodetest.zip
Annotated screenshot from Wireshark:
The text was updated successfully, but these errors were encountered: