The Insecurity of HTTP/1.1 and the Call for Its Replacement
By
skeptrune
The bagel they save for the regulars. Don't skim, savour.
Summary
Upstream HTTP/1.1 is deemed insecure and exposes websites to hostile takeover, prompting the need to move beyond it.
Key quotes
· 3 pulledHTTP/1.1 is inherently insecure and consistently exposes millions of websites to hostile takeover.
Six years after we exposed the threat of HTTP desync attacks, there's still no
HTTP/1.1 Must Die - Time to move beyond HTTP/1.1
You might also wanna read
Attackers exploit FortiClient EMS vulnerability (CVE-2026-35616) to deliver infostealer to enterprise devices
Attackers are exploiting a known vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver a broad-spectru
helpnetsecurity.com·42m ago
Critical Gogs RCE bug (CVSS 9.4) remains unpatched; exploit module now public
A critical remote code execution (RCE) vulnerability rated 9.4/10 has been discovered in Gogs, a popular open-source self-hosted Git service
theregister.com·59m ago
GrapheneOS: A privacy-focused, open-source mobile OS with Android app compatibility
GrapheneOS is a non-profit, open-source mobile operating system focused on privacy and security, with full Android app compatibility. Founde
grapheneos.org·1h ago
Anthropic Releases Free Security Plugin for Claude Code Terminal to Detect Vulnerabilities
Anthropic has released a free security-guidance plugin for its Claude Code terminal tool that autonomously reviews code edits, model outputs
cybersecuritynews.com·4h ago
Security Flaw in ChatGPT for Google Sheets Enables Data Exfiltration via Prompt Injection
OpenAI's ChatGPT extension for Google Sheets, which has over 185,000 downloads in less than a month, is vulnerable to indirect prompt inject
promptarmor.com·6h ago
Prompt Injection Attacks: The Top Security Threat Hijacking AI Chatbots
Prompt injection attacks are a critical security vulnerability in AI systems where hidden instructions within user data (like emails or docu
buff.ly·11h ago