An initial study of the effect of pipelining in hiding HTTP/2.0 response sizes
This work addresses a security vulnerability for web users by showing that HTTP/2.0's assumed protection against response size attacks is incomplete, though it is incremental in nature.
The study investigated whether HTTP/2.0 pipelining effectively hides response sizes to prevent side-channel attacks, finding that it provides limited protection and proposing a model that improves response matching and attack performance.
HTTP response size is a well-known side channel attack. With the deployment of HTTP/2.0, response size attacks are generally dismissed with the argument that pipelining and response multiplexing prevent eavesdroppers from finding out response sizes. Yet the extent to which pipelining and response multiplexing actually hide HTTP response sizes has not been adequately investigated. In this paper we set out to help understand the effect of pipelining in hiding the size of web objects on the Internet. We conduct an experiment that provides browser-side HTTP response sizes and network-captured TLS record sizes and show how the model that we propose for estimating response sizes from TLS record sizes improves response matching and attack performance. In this process we gather evidence on how different implementations of HTTP/2.0 web servers generate different side- channel information and the limited amount of pipelining and response multiplexing used on the Internet today.