Akamai Diversity

The Akamai Blog

Passive HTTP2 Client Fingerprinting - White Paper

HTTP2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred "on the wire" by introducing a full binary protocol, made up of TCP connections, streams and frames, rather than simply being a plain-text protocol. Such a fundamental change between HTTP/1.x to HTTP/2, meant that client side and server side implementations had to incorporate completely new code to support new HTTP2 features - this fact, introduces nuances in protocol implementations, which in turn, might be used to passively fingerprint web clients.

According to this HTTP2 Adoption site, there are approximately 241,000 domains that announced support for HTTP2 as of November 16, 2016. Among them, you can find Google, Amazon, Blogspot, Wikipedia and Wordpress, among others. Akamai is among the first to implement HTTP2 on its network, allowing each client to communicate with the Akamai network over HTTP2.

Akamai's Threat Research team recently conducted a research on the possibility of passively fingerprinting HTTP2 clients based on unique implementation features. The paper also proposes a format for passive HTTP2 fingerprints, as well as a few examples of unique fingerprints belonging to common clients and implementations.

The ability to passively fingerprint HTTP2 client implementations can be leveraged in multiple ways such as - detecting web bots and automated web attack tools, detecting anonymous proxies & VPNs and also better and more confident detection of the true device and client type.

Link to whitepaper: https://www.akamai.com/uk/en/multimedia/documents/white-paper/passive-fingerprinting-of-http2-clients-white-paper.pdf