Danilo Gligoroski is a professor of Information Security and Cryptography at the Department of Telematics, at the Norwegian University of Science and Technology – Trondheim, Norway. He received his Ph.D. at the Ss. Cyril and Methodius University of Skopje in 1997 in the field of Computer Science. His research interests are Cryptography, Computer Security, Discrete algorithms, Information Theory and Coding.
Security issues of HTTP/2.0
HTTP/2.0 is the latest work in progress of the IETF to improve the old HTTP/1.1 protocol. The intention is to have a faster protocol that is more secure and users fewer resources than HTTP/1.1. The final draft is scheduled for autumn 2014. For information security specialists and managers, it is very important to know that currently there is a hot debate as to whether HTTP/2.0 should have mandatory TLS encryption for all traffic. The proponents of this idea claim that obviously all trivial attacks listening in on unencrypted web traffic will be gone forever and that the general security will be significantly increased. On the other hand, the opponents also have several arguments: 1. Will the insistence on the mandatory use of TLS be a factor for a lack of a widespread adaptation of the new protocol; 2. The current design of TLS allows a widespread abuse of the man-in-the-middle attack by government organizations that can force (or trick) the Certificate Authorities to give them information about their root certificates; 3. The sudden switch to all HTTPS web traffic will be an instant intervention in the market of digital certificates, and will drive the prices of digital certificates significantly higher than they currently are. In this talk, I will discuss all the benefits, challenges and concerns about the information security issues of the upcoming HTTP/2.0 protocol.