What is HTTP/2 ? Next-Gen Protocol For Faster and Safer Internet

Good news for Internet folks! Get Ready as the entire web you know is about to change. The new and long-awaited version of HTTP took a major step toward becoming a reality on Wednesday – It is been officially finalized and approved. Mark Nottingham, chairman of the Internet Engineering Task Force...

openSUSE Security Update : MozillaFirefox (openSUSE-SU-2014:1581-1)

This MozillaFirefox update fixes several security and non security issues. Changes in MozillaFirefox : - update to Firefox 34.0.5 bnc908009 - Default search engine changed to Yahoo! for North America - Default search engine changed to Yandex for Belarusian, Kazakh, and Russian locales - Improved...

CVE-2014-1582

The Public Key Pinning PKP implementation in Mozilla Firefox before 33.0 does not properly consider the connection-coalescing behavior of SPDY and HTTP/2 in the case of a shared IP address, which allows man-in-the-middle attackers to bypass an intended pinning configuration and spoof a web site b...

CVE-2014-1582

The Public Key Pinning PKP implementation in Mozilla Firefox before 33.0 does not properly consider the connection-coalescing behavior of SPDY and HTTP/2 in the case of a shared IP address, which allows man-in-the-middle attackers to bypass an intended pinning configuration and spoof a web site b...

CVE-2014-1582

CVE-2014-1582 affects Mozilla Firefox prior to 33.0, where the Public Key Pinning (PKP) implementation fails to account for SPDY/HTTP2 connection-coalescing on shared IPs, allowing a MITM to bypass pins and spoof a site with a valid certificate from any recognized CA. The issue is tied to Firefox...

Firefox < 33.0 Multiple Vulnerabilities

The version of Firefox installed on the remote Windows host is a version prior to 33.0. It is, therefore, affected by the following vulnerabilities : - Multiple memory safety flaws exist within the browser engine. Exploiting these, an attacker can cause a denial of service or execute arbitrary...

Key pinning bypasses — Mozilla

Mozilla developer Patrick McManus reported a method to use SPDY or HTTP/2 connection coalescing to bypass key pinning on different sites that resolve to the same IP address.This could allow the use of a fraudulent certificate when a saved pin for that subdomain should have prevented the connectio...

HTTP/2 Supports only HTTPS URIs

The head of the working group designing the next version of HTTP said the HTTP/2 protocol will work only with encrypted URIs. “I believe the best way that we can meet the goal of increasing use of TLS on the Web is to encourage its use by only using HTTP/2.0 with https:// URIs,” wrote Mark...

HyperText Transfer Protocol (HTTP) Information

This test gives some information about the remote HTTP protocol - the version used, whether HTTP Keep-Alive is enabled, etc... This test is informational only and does not denote any security problem. C Tenable Network Security, Inc. include"compat.inc"; ifdescription scriptid24260;...

Denial of Service via HTTP/2 CONTINUATION Frames

amphp/http will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the ENDHEADERS flag, resulting in an OOM crash. amphp/http-client and amphp/http-server are indirectly affected if they're used with an unpatched version of...

Denial of Service via HTTP/2 CONTINUATION Frames

Early versions of amphp/http-client with HTTP/2 support v4.0.0-rc10 to 4.0.0 will collect HTTP/2 CONTINUATION frames in an unbounded buffer and will not check the header size limit until it has received the ENDHEADERS flag, resulting in an OOM crash. Later versions of amphp/http-client v4.1.0-rc1...