HTTP 1.1 Must Die! The Desync Endgame

Name: HTTP 1.1 Must Die! The Desync Endgame
Description: James Kettle's fourth annual DEF CON session on HTTP desync attacks represents both the culmination of a multi-year research program and a sobering conclusion: the attack class has not been resolved,

James Kettle

DEF CON 33 · Day 2 · Main Stage

James Kettle's fourth annual DEF CON session on HTTP desync attacks represents both the culmination of a multi-year research program and a sobering conclusion: the attack class has not been resolved,

AI review

James Kettle closes out his multi-year HTTP desync research arc by demonstrating that the migration to HTTP/2 has made the attack surface worse, not better — introducing server-side pause-based desync (a technique requiring no CL/TE header ambiguity), H2.TE downgrade attacks, and a PayPal full login-page takeover case study, while calling for the industry to retire HTTP/1.1 as an inter-server protocol.

Watch on YouTube