[HN Gopher] Censors Ignore Unencrypted HTTP/2 Traffic (2024)
       ___________________________________________________________________
        
       Censors Ignore Unencrypted HTTP/2 Traffic (2024)
        
       Author : ArinaS
       Score  : 20 points
       Date   : 2025-04-14 18:23 UTC (4 hours ago)
        
 (HTM) web link (upb-syssec.github.io)
 (TXT) w3m dump (upb-syssec.github.io)
        
       | puttycat wrote:
       | Nice research, but I can only guess that this was fixed ten
       | minutes after the report was published?
        
         | wongarsu wrote:
         | The article also notes
         | 
         | > Despite no web browser implementing unencrypted HTTP/2, we
         | detect that up to 6.28% of websites support unencrypted HTTP/2
         | traffic.
         | 
         | My own experience with trying to use unencrypted http/2 between
         | two docker containers was that it was easier to use a self-
         | signed certificate than to get my libraries to use unencrypted
         | http/2. If I was in charge of the Chinese firewall this would
         | be pretty far down on my list of holes to close up
        
       | userbinator wrote:
       | The obvious follow-up is to then put a (possibly obfuscated) TLS
       | connection in the request and response bodies, creating another
       | tunneling method.
        
       | exabrial wrote:
       | If anyone wants to know why I've been adamant we absolutely need
       | unencrypted QUIC mode, here's your answer.
       | 
       | Trojan horses are used by the good guys too.
        
         | dullcrisp wrote:
         | Like Odysseus, I guess?
        
       ___________________________________________________________________
       (page generated 2025-04-14 23:01 UTC)