An initial study of the effect of pipelining in hiding HTTP/2.0 response sizes

TL;DR

This study investigates how effectively HTTP/2.0 pipelining and multiplexing techniques conceal response sizes, revealing their limitations and variability across implementations through experimental analysis.

Contribution

It provides an empirical analysis of the actual effectiveness of pipelining in hiding HTTP/2.0 response sizes and introduces a model for better size estimation from TLS data.

Findings

Pipelining and multiplexing do not fully prevent response size leakage.

Different server implementations produce varying side-channel information.

Limited pipelining is commonly used in real-world HTTP/2.0 deployments.

Abstract

HTTP response size is a well-known side channel attack. With the deployment of HTTP/2.0, response size attacks are generally dismissed with the argument that pipelining and response multiplexing prevent eavesdroppers from finding out response sizes. Yet the extent to which pipelining and response multiplexing actually hide HTTP response sizes has not been adequately investigated. In this paper we set out to help understand the effect of pipelining in hiding the size of web objects on the Internet. We conduct an experiment that provides browser-side HTTP response sizes and network-captured TLS record sizes and show how the model that we propose for estimating response sizes from TLS record sizes improves response matching and attack performance. In this process we gather evidence on how different implementations of HTTP/2.0 web servers generate different side- channel information and the limited amount of pipelining and response multiplexing used on the Internet today.