Security researcher James Kettle has published groundbreaking research exposing fundamental vulnerabilities in HTTP/1.1 that led to critical security breaches across major technology companies, government systems, and CDN networks, earning over $350,000 in bug bounties.
The research, detailed in his paper "HTTP/1.1 Must Die: The Desync Endgame," demonstrates how HTTP request smuggling attacks continue to pose severe risks to millions of websites despite six years of attempted mitigations.
Kettle's findings exposed vulnerabilities in critical internet infrastructure, including a single flaw that compromised over 24 million websites through Cloudflare's network. The research team also discovered vulnerabilities affecting Akamai CDN customers, resulting in 74 separate bug bounty reports totaling $221,000.
"HTTP/1.1 has a fatal, highly-exploitable flaw - the boundaries between individual HTTP requests are very weak," Kettle explains in his research. "Attackers can create extreme ambiguity about where one request ends and the next request starts."
Technical Innovation Behind the Discoveries
The researcher introduced several new attack classes, including "0.CL desync attacks" previously considered unexploitable, and "Expect-based desync attacks" that leverage the complex Expect header mechanism. His team developed sophisticated techniques to bypass modern security mitigations that had created an "illusion of security."
One particularly clever attack exploited Windows' legacy file naming restrictions (/con, /nul) to break connection deadlocks, enabling attackers to smuggle malicious requests through seemingly secure systems.
High-profile victims included T-Mobile ($12,000 bounty), GitLab's security infrastructure ($7,000), and LastPass authentication systems ($5,000). The research also revealed that AWS Application Load Balancer behind Microsoft IIS remains vulnerable, with AWS choosing not to patch due to compatibility concerns.
Industry-Wide Protocol Problem
The research demonstrates that HTTP/1.1's fundamental design makes secure implementation nearly impossible. Unlike binary protocols, HTTP/1.1 uses multiple methods to specify message lengths, creating parsing ambiguities that attackers can exploit.
"More desync attacks are always coming," Kettle warns, comparing the situation to buffer overflow vulnerabilities from decades past.
Path to Security: HTTP/2 Migration
The researcher strongly advocates for migrating to HTTP/2 or HTTP/3, which eliminates most desync attack vectors through binary message formatting. He released an open-source tool, HTTP Request Smuggler 3.0, to help organizations identify vulnerabilities.
For organizations still using HTTP/1.1, Kettle recommends enabling all available normalization options, avoiding niche web servers, and performing regular vulnerability scans. However, he emphasizes that these are temporary measures: "If we want a secure web, HTTP/1.1 must die."
The research represents a decisive argument for abandoning legacy protocols in favor of modern, inherently secure alternatives.