A4 - HTTP2 Trace Analysis

250 points

In this assignment, you will capture and analyze a network trace between your browser and a Web server. Web servers and proxies are one of the most widely deployed server applications, powering the websites that we visit every day. The protocol behind the Web, the HyperText Transfer Protocol (HTTP) started out as a simple plain-text protocol built on top of TCP. The most widely used plain-text version of the protocol is HTTP/1.1.

As the Web evolved, the number of protocol extensions kept increasing, and the size of websites, or Web applications, increased together with the number of users. Improving HTTP performance and combining extensions into one standard, HTTP/2 came out many years later. Three important improvements introduced in HTTP/2 are:

Although a newer version of HTTP, called HTTP/3 exists, we focus in this assignment on HTTP/2. The most important change from HTTP/2 is that HTTP/3 uses UDP, not TCP, for its transport layer protocol, and moves the responsibility for managing connections and reliable delivery from the transport layer to the application layer. For further reading on how HTTP/3 implements these changes, see QUIC. To obtain an overview of the HTTP protocol versions and their implementations, we recommend reading the articles published by Mozilla.


Assignment

You are going to interact with a web server that is both HTTP/1.1- and HTTP/2-enabled, and see how HTTP requests and responses look in practice. First, you are going to take a look at HTTP/1.1, and then at HTTP/2.

Web browsers only support HTTP/2 when served using Transport Level Security (TLS) (you will see the URL starts with https://). Although Wireshark intercepts all packets between your system and the Web server, TLS prevents us from reading the contents of the packets because it is designed to be resistant against Man-In-The-Middle Attacks (MITMs). This means we will need to allow Wireshark to decrypt the data, i.e., the HTTP/2 messages. This is an example of protocol encapsulation: HTTP/2 messages are encapsulated in TLS!


Setup

1

Install Wireshark

Install Wireshark for your operating system. If you are on Windows and used Wireshark for WSL before, please install the Windows compatible version for this assignment.

2

Close all browser instances

In order for our setup to work, you must close all browser instances open on your computer. Make sure you have Wireshark running before this step.

3

Execute terminal script

Depending on your platform, you will have to execute different scripts to open your browser. If you are on Windows, open a command prompt terminal (not Ubuntu terminal). If you are on MacOS or Linux, open a terminal as normal.

On Windows, execute the commands below. Note that if you are running a different broeswer other than Google Chrome, you might need to adjust the command manually.

SET SSLKEYLOGFILE=%userprofile%\keylogfile.txt
start chrome

On MacOS, execute the following commands:

export SSLKEYLOGFILE="$HOME/keylogfile.txt"
open "212.132.114.68:8080"

On Linux, execute the following commands:

export SSLKEYLOGFILE="$HOME/keylogfile.txt"
xdg-open "212.132.114.68:8080"
4

Configure Wireshark

Open Wireshark and select your active network interface (you can judge which one it is by the activity graph next to its name). Then go to Edit (in the menu bar) → Preferences → Protocols → TLS. Press the “Browse” button next to “(Pre)-Master-Secret log filename”, and select the file named keylogfile.txt in your home directory.


Questions to answer

To complete the assignment, you must answer the following questions in a PDF document, which you will submit in CodeGrade. While performing the analysis, please keep track of the steps you took to record and obtain information about packets.

In your submission, include for all questions both the answer and a comprehensive explanation of the procedure used during analysis to obtain the answer. You may include screenshots, steps, difficulties, challenges, and discoveries encountered towards obtaining the answer. Every question must be answered under a clearly separated title in your document.

While performing the steps below, you will get a certificate error from your web browser, warning you that the connection is not safe. For a real website, this would be a problem, but this is completely fine for our assignment. You can ignore the error by pressing Advanced and then clicking the link at the bottom (Proceed to 212.132.114.68 (unsafe)).

  1. Navigate to http://212.132.114.68:8080. Press on the links, and familiarize yourself with how the website looks. Look on the Wireshark trace, identify the packets that go from the client to the server, and the ones that go from the server to the client.

  2. Click on “Click for HTTP request information”. You will see the HTTP headers that the server received from your browser. Now look in Wireshark. Are the HTTP headers that the browser sends to the server the same as the ones on the screen? If there are differences, what are they?

  3. What do the headers mean?

  4. Reload the page, first by pressing F5, then by pressing Ctrl+F5. Are the headers different if you press CTRL when refreshing? Why? What do the changed headers mean?

  5. Navigate to http://212.132.114.68:8080/gophertiles. You will see a picture made of smaller tiles loading. Can you find the request and response for each of the tiles in Wireshark? How does the server know which tile to serve? You may observe that your browser uses more than one TCP connection to load the pictures. Why is this happening? How can you find in Wireshark how many TCP connections are used by your browser, and which connection is used for every tile? How many connections are used?

  6. Navigate to https://212.132.114.68:4430. What does this request look like in Wireshark? Are the headers and the page’s content separated? How does the decrypted response differ compared to the HTTP/1.1 version?

  7. Navigate to https://212.132.114.68:4430/gophertiles. Once again, an image made of tiles is shown, but it loads much faster. As you select higher latencies from the top-left corner, no matter what you select, the HTTP/2-enabled page loads much faster. Why is this the case? What do the client’s requests for the tiles look like, and what is the difference compared to the HTTP/1.1 version? What do the server’s responses look like? How many TCP connections does the browser use to load the tiles in the HTTP/2 version, and why is it the case?

  8. As HTTP/1.1 and HTTP/2 look completely different on the wire, there needs to be a way for the server and client to communicate which version to use, in a backward-compatible way. This is done through Application-Layer Protocol Negotiation, encoded as a TLS extension. Identify the negotiation in the Wireshark trace.

To force HTTP/1.1 or HTTP/2, you can use curl:

# HTTP 1.1
curl --insecure -v --http1.1 https://212.132.114.68:4430
# HTTP 2
curl --insecure -v --http2 https://212.132.114.68:4430

The HTTP/1.1 specification (RFC).

The HTTP/2 specification (RFC).

The HTTP/3 specification (RFC).

Observe how RFC numbers are consecutive as versions are increasing.

Last updated