[Перевод] PPP-over-HTTP/2: развлекаемся с dumbproxy и pppd
В этой статье рассказано как подружить pppd и dumbproxy, получив в итоге PPP-тоннель внутри HTTP/2. Её можно одновременно рассматривать как руководство по настройке, журнал эксперимента, демо возможностей dumbproxy и просто пищу для удовлетворения любопытства.
[Перевод] Поддержка HTTP/3 в Java: что нового в JDK 26 и как это использовать
В JDK 26 появилась долгожданная поддержка HTTP/3 в стандартном классе HttpClient . Хотя само API почти не изменилось, теперь можно явно указывать предпочтение использования HTTP/3 как на уровне клиента, так и на уровне запроса. В новом переводе от команды Spring АйО подробно описывается, как работает выбор версии HTTP, что такое Http3DiscoveryMode, как принудительно использовать HTTP/3 и как HttpClient "обучается" на основе заголовков alt-svc .
https://habr.com/ru/companies/spring_aio/articles/959850/
#java #kotlin #http #http2 #http_3 #http_30 #jdk #jdk_26 #spring #spring_boot
[Перевод] Пограничные случаи HTTP, которые должен понимать каждый разработчик API
В феврале прошлого года у интерфейса веб-серверов Rack, лежащего в основе практически каждого приложения Ruby on Rails, был обнаружен CVE-2024-26141 . Уязвимость была простой: достаточно отправить запрос файла с сотней байтовых диапазонов, и Rack генерировал неожиданно большой ответ. Серверы продакшена можно было атаковать одиночными HTTP-запросами, пока у них не закончится ресурс памяти или канала. Усугубляло ситуацию то, что баг затронул широкий диапазон версий: от 1.3.0 и выше; это означало, что уязвимыми оказались приложения, которые писали с 2011 года. Многие разработчики тратили все свои выходные на установку патчей. Это пример того, как простой неправильно обрабатываемый пограничный случай HTTP может нанести существенный ущерб . И не потому, что мы плохие разработчики, а потому, что HTTP сложен. В идеальном случае всё работает замечательно. Но потом наступает продакшен.
Upgrading my WordPress Server to Ubuntu 24.04 LTS
Upgraded my long-running DigitalOcean droplet from Ubuntu 22.04 (Jammy Jellyfish) to 24.04 (Noble Numbat). Snapshots, backups, dependency churn — tense but worth it.https://islandinthenet.com/upgrading-wordpress-server-ubuntu-24-04-lts/
🚨 New #MadeYouReset DoS attack exploits HTTP/2 protocol quirks to stealthily exhaust server resources! Discovered by researchers at Tel Aviv University, it forces servers to reset connections while secretly processing requests, causing severe disruption. Patch now to stay protected! 🔒⚡️
More info: https://cyberinsider.com/new-madeyoureset-method-exploits-http-2-for-stealthy-dos-attacks/
HTTP 1.1 is broken ... HTTP2 is broken ... let's go back to gopher.
‘MadeYouReset’ HTTP2 Vulnerability Enables Massive DDoS Attacks
https://www.securityweek.com/madeyoureset-http2-vulnerability-enables-massive-ddos-attacks/
#nginx 1.29.1 (dev) has been released (#http / #http2 / #http3 / #httpd / #Web / #Webserver / #TLS / #TLS13 / #CVE / #SecurityVulnerability) https://nginx.org/
I wonder if #nginx is vulnerable to #HTTP2 #MadeYouReset :sagume_think:
#ApacheHTTPd 2.4.65 has been released (#Web / #Webserver / #http2 / #httpd / #Apache / #HTTPServer / #TLS13 / #ApacheSoftwareFoundation / #ASF / #CVE / #SecurityVulnerability) https://httpd.apache.org/
@me Also change your #webserver configuration to support #http2 this will make the multiple requests much faster.
#caddy for example supports http2 out of the box
#curl 8.15.0 has been released (#libcurl / #Haxx / #DICT / #FILE / #FTP / #FTPS / #Gopher / #HTTP / #HTTPS / #IMAP / #IMAPS / #LDAP / #LDAPS / #MQTT / #POP3 / #POP3S / #RTMP / #RTMPS / #RTSP / #SCP / #SFTP / #SMB / #SMBS / #SMTP / #SMTPS / #Telnet / #TFTP / #WebSocket / #SOCKS4 / #SOCKS5 / #SCRAM / #TLS / #HTTP2 / #HTTP3) https://curl.se/
#TIL: There are two ways to trigger use of the #HTTP3 / #QUIC #protocol in #webbrowsers:
#Chromium and #Firefox #browsers always start with #HTTP1 / #HTTP2, look for the “alt-svc” header in the response and switch to HTTP3 for subsequent requests if they find it. I knew that much.
But #Safari will instead query #DNS for the "#HTTPS" record and use that as a trigger. So it can work HTTP3-only for the cost of an additional DNS query. Unfortunately, the record type isn't widely supported yet.
A detailed description of CVE-2025-53020, a DoS vulnerability in the HTTP/2 implementation of Apache httpd. Fixed in 2.4.64.
#apache #httpd #http2
https://github.com/icing/blog/blob/main/hpack-bombing-apache.md
#ApacheHTTPd 2.4.64 has been released (#Web / #Webserver / #http2 / #httpd / #Apache / #HTTPServer / #TLS13 / #ApacheSoftwareFoundation / #ASF / #CVE / #SecurityVulnerability) https://httpd.apache.org/
#Freenginx 1.29.0 has been released (#nginx / #http / #http2 / #http3 / #httpd / #Web / #Webserver / #TLS / #TLS13) https://freenginx.org/
#nginx 1.29.0 has been released (#http / #http2 / #http3 / #httpd / #Web / #Webserver / #TLS / #TLS13) https://nginx.org/
My FOSS SSLproxy Needs HTTP/2 Support for Next-Gen Network Security (The "Invisible Threat" is Growing)
I'm the long-time maintainer of SSLproxy (and the co-maintainer of SSLsplit), a unique open-source transparent SSL/TLS proxy. Its core strength lies in its ability to decrypt and divert network traffic to other security tools (like E2guardian, Snort IPS, POP3 proxy, SMTP proxy, Virus and Spam scanners as in my UTMFW firewall) for deep SSL inspection. It's truly the only FOSS tool offering this transparent, real-time diversion capability to enable UTM services on encrypted streams. (For context: popular tools like mitmproxy, while powerful, expect you to write/use extensions for inspection rather than diverting traffic for existing services.)
The Problem: HTTP/2 is Hiding Threats in Plain Sight
In 2025, nearly a third of all websites have adopted HTTP/2. Here's the critical challenge for open-source cybersecurity: Current FOSS security tools, including SSLproxy and many downstream listening programs (like E2guardian, Squid, Snort), often cannot fully understand or process this HTTP/2 traffic in real-time. This is a significant gap, as commercial closed-source firewalls and libraries do offer real-time HTTP/2 SSL inspection capabilities. (For context: there are open/closed-source solutions for offline analysis.)
Currently, SSLproxy either prevents HTTP/2 upgrade or allows you to bypass HTTP/2 traffic using its powerful filtering features. However, neither offers the deep, real-time inspection needed for comprehensive security.
This creates a dangerous "translation gap" in the open-source ecosystem, where a growing portion of encrypted internet traffic is effectively invisible to real-time deep inspection, forcing reliance on proprietary solutions for full visibility.
Why This Matters for You:
The Solution & The Challenge Ahead:
SSLproxy must evolve to natively speak HTTP/2 and transparently translate it back to HTTP/1 for seamless integration with existing downstream security tools. This is a substantial engineering effort, requiring the integration of complex libraries like nghttp2 and nghttpx, and a dedicated focus.
How You Can Help Fuel This Critical Work:
My FOSS projects are fueled by a deep commitment to open-source security, but developing and maintaining these complex, vital features demands significant time and resources. If you or your organization benefit from open-source network security tools like SSLproxy, your support is invaluable.
Sponsorship enables me to dedicate full-time effort to delivering crucial advancements like comprehensive HTTP/2 support, improved TLS compatibility, Windows support, and much more.
You can learn more about SSLproxy, UTMFW, and my other projects, including the full roadmap, here:
➡️ My New Website: https://sonertari.github.io
➡️ GitHub Project Boards (Full Roadmap): https://github.com/sonertari?tab=projects
#FOSS #Cybersecurity #NetworkSecurity #OpenSource #InfoSec #SSLproxy #UTMFW #HTTP2 #Firewall #IPS #Sponsorship #ComixWall
