(upb-syssec.github.io)

62 points ArinaS | 2 comments | 14 Apr 25 18:23 UTC | HN request time: 0.009s | source

Show context

puttycat ◴[14 Apr 25 20:51 UTC] No.43686191[source]▶

>>43684492 (OP) #

Nice research, but I can only guess that this was fixed ten minutes after the report was published?

replies(1): >>43686354 #

wongarsu ◴[14 Apr 25 21:08 UTC] No.43686354[source]▶

>>43686191 #

The article also notes

> Despite no web browser implementing unencrypted HTTP/2, we detect that up to 6.28% of websites support unencrypted HTTP/2 traffic.

My own experience with trying to use unencrypted http/2 between two docker containers was that it was easier to use a self-signed certificate than to get my libraries to use unencrypted http/2. If I was in charge of the Chinese firewall this would be pretty far down on my list of holes to close up

replies(2): >>43687499 #>>43688579 #

1. pcthrowaway ◴[14 Apr 25 23:44 UTC] No.43687499[source]▶

>>43686354 #

I imagine a forward proxy that attempts to connect to a remote host via unencrypted HTTP/2 would make it trivial to access 6.28% of websites, regardless of whether web browsers support it?

No idea whether this is going to be a priority for censoring states to prevent though... wasn't there already talk that China is poised to lift the great firewall anyway?

replies(1): >>43688820 #

2. fsckboy ◴[15 Apr 25 03:50 UTC] No.43688820[source]▶

>>43687499 (TP) #

>wasn't there already talk that China is poised to lift the great firewall anyway?

considering what happened in Hong Kong, I can't imagine the lifted firewall decision would last very long at all. But for that window, it would be the best of both worlds, with the rest of us enjoying eternal jiǔyuè (九月)

↑

Censors Ignore Unencrypted HTTP/2 Traffic (2024)