Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy Government Programming

HTTP/2.0 Opens Every New Connection It Makes With the Word 'PRISM' (jgc.org) 200

An anonymous reader writes: British programmer and writer John Graham-Cumming has spotted what appears to be a 'code-protest' in the next generation of the hypertext protocol. Each new connection forged by the HTTP/2.0 protocol spells out the word 'PRISM' obliquely, though the word itself is obscured to the casual observer by coded returns and line-breaks. Work on the hidden message in HTTP/2.0 seems to date back to nine days after the Snowden revelations broke, with the final commit completed by July of 2013. In July 2013 one of the protocol's architects appealed to the development group to reconsider design principles in the light of the revelations about the NSA's worldwide surveillance program.
This discussion has been archived. No new comments can be posted.

HTTP/2.0 Opens Every New Connection It Makes With the Word 'PRISM'

Comments Filter:
  • by Anonymous Coward on Monday November 30, 2015 @08:33PM (#51030991)

    HTTP/2.0 also supports the Bitcoin protocol which allows underpaid female STEM workers to drive 3D printed Uber cars or get a job (powered by DICE) delivering Arduinos via drones to Elon Musks new IoT manufacturing Chinese death factory.

  • If you remove the line feeds, you get PRI*HTTP/2.0SM.

    • by dcollins117 ( 1267462 ) on Monday November 30, 2015 @09:12PM (#51031237)

      So someone added cruft to a communications protocol just to make a political statement? Seems to me that is a very poor reason to make a technical decision. It's not needed, it should be removed.

      • by Anonymous Coward

        There needed to be a magic sting to help reject non-http2 at http2 endpoints. It isn't cruft. And it is sent exactly once on a new connection.

        • Isn't that what the characters "HTTP/2.0" do? How does that not identify it as http2?
          • by tepples ( 727027 )

            The use of a new request method (PRI) makes HTTP/1.x servers more likely to (correctly) reject the connection attempt so that the client can cleanly fall back to 1.1.

            • The use of a new request method (PRI) makes HTTP/1.x servers more likely to (correctly) reject the connection attempt so that the client can cleanly fall back to 1.1.

              That is not how computers work. They match bits, that's it. To anthropomorphize them because that's the way your brain works is a serious error.

              • by Jesus_666 ( 702802 ) on Tuesday December 01, 2015 @02:24AM (#51032045)

                // HTTP 1.1 is essentially 1.0 so any future version of HTTP will work with our code.
                var weSupportThis = new Regex("^HTTP/\d+\.\d+").IsMatch(header);

                There are many coders out there and many broken ways of detecting protocols. Only changing the version number might run into trouble if one side of the conversation assumes that everything starting with "HTTP" is going to be pretty much equivalent to HTTP/1.0. So at least the "PRI" part makes sense.

                • by Anonymous Coward

                  And that habit will continue since it works.
                  As a result we end up with protocols with more overhead than necessary.

                  Wouldn't it be better that those who use broken code suffer instead of everyone else?

                • Re: (Score:2, Funny)

                  Thank you , Jesus. I see the light. It's way off in the distance, because I am surrounded by imbeciles, by I can see the light. One day, I believe, people will be smart. That's all I can hope for.
                • by AmiMoJo ( 196126 )

                  It was originally going to be START, but they found that people were using the START method for various things so changed it to something that hopefully would be less common. At first it was FOOBA, but after Snowden it was changed to PRISM in protest.

              • by DarkOx ( 621550 )

                No computers do what they are programmed to do. I would count on the fact there are a lot of 'simplified' HTTP clients and servers out there that look for the string 'HTTP' and not much more. After all if you were implementing something that just needed to exchange a little information over the course of a handful of strait forward GETs or something and wanted to make it HTTP like enough to traverse firewalls be proxied if needed etc, a cut down HTTP implementation is/was a good way to go.

                When it comes to

                • by LiENUS ( 207736 )

                  HTTP is Hyper TEXT transfer protocol, it makes sense that it is text.

                  Yes its for transmitting hypertext, ie text documents that contains links to other text documents. IE exactly what HTTP/2.0 is doing. Hypertext refers to the content not the protocol.

              • To anthropomorphize them because that's the way your brain works is a serious error.

                It's called "colloquial language", and it appears to have got the point across to most other readers. But if you insist on discussing the process more formally in terms of "matching bits":

                The PRI request method matches none of the methods in a pre-HTTP/2.0 server's list of acceptable methods. This causes the server to write a response that does not match the HTTP/2.0 upgrade pattern, even if the server's matching of the protocol version bits is incorrect. When the response fails to match at the client, the

      • by Anonymous Coward

        They needed a magic value to recognize HTTP/2.0 servers that would reliably fail on existing ones. As magic values are arbitrary, this one was good enough (i.e. actually fails on almost all servers), they simply picked something and moved on.

        This is NOT something extra or unnecessary added to HTTP/2.0, it's just something arbitrary that they happened to pick as a "magic" value, not unlike those commonly found in most file formats.

      • by Anonymous Coward

        > [...] poor reason to make a technical decision.

        Sigh. Yet another "technical ideologist". Thing is, most of those have no clue about technology itself, but tout an ideal in which each and every decision is taken on "technical grounds". Which end up, for the above reason, by being just disguised gut feelings.

        Know what? To do a good job, you should start by differentiating between your gut feelings and technical things (*both* are necessary and useful, but by all means, know which is which). If you can't

        • > [...] poor reason to make a technical decision.

          Sigh. Yet another "technical ideologist". Thing is, most of those have no clue about technology itself, but tout an ideal in which each and every decision is taken on "technical grounds". Which end up, for the above reason, by being just disguised gut feelings.

          Know what? To do a good job, you should start by differentiating between your gut feelings and technical things (*both* are necessary and useful, but by all means, know which is which). If you can't muster that, you should steer clear of science and engineering.

          Thank you!

  • by Anonymous Coward

    for this to get "noticed"?

    so much for open standards and open source software... 'its safe. you can look at the code yourself"... it took two and a half fucking years for someone to do just that.. and just to find an easter egg, not an embedded and obscured vulnerability.

    • by viperidaenz ( 2515578 ) on Monday November 30, 2015 @09:03PM (#51031197)

      took 2 1/2 years for someone to care

    • How long would it take for someone to spot something similar in a closed project? Forever?
      • Forever? Quite probably. Considering the developer who last touched any given source file in a large closed project has probably long since been laid off years before the poor contractor at some Bangalore outsourcing firm tasked with fixing a bug in the aforementioned source file was ever hired.

      • How long would it take for someone to spot something similar in a closed project? Forever?

        Considering that this is a communication protocol spec, there is no way something similar could be "closed" in a way that would obscure it.

        • by Sique ( 173459 )
          Considering that there are enough proprietary communication protocols around, whose specs are never disclosed at all, or where you have to pay money and sign a non disclosure agreement prior to getting a look at them, there are enough ways for them to be closed.
          • Except that there are things like Wireshark and other tools that let you sniff packets and see what is inside them. If it's widely used enough somebody is going to have tried.

    • by KGIII ( 973947 )

      Just 'cause it's open doesn't mean someone's gonna notice. For example, look at this text that I'm typing now (and still typing) and see if you can spot the hidden message. It's open, can you find it? Can't make the association? No? Well, here's some more words to make it finish - consider this random text.

      • Do you have a working Geiger counter?

        • by KGIII ( 973947 )

          Nah, I'm not that smart. It's also not nearly so insightful. Well, maybe, but then I'd have to give you a hint. It is a topical message and there is, indeed, a very open message in there and it's not even remotely hidden if you know what to look for. Given Slashdot user's typical traits, I'd think it'd be obvious but only in hindsight.

          Should I remember (or get a notification on here) then I'll share the "hidden" message or at least some hint. *nods*

        • Mine is in the shop.
      • by Anonymous Coward

        Your mother's legs are always open and every man can find that.

      • by tsqr ( 808554 )

        The hidden message? It's right there - between "spot " and ". It's"

    • for this to get "noticed"?

      so much for open standards and open source software... 'its safe. you can look at the code yourself"... it took two and a half fucking years for someone to do just that.. and just to find an easter egg, not an embedded and obscured vulnerability.

      No, it didn't take 2.5 years to get noticed. Look at the comments on the final commit, it was noticed and commented on by another team member the same day it went in. https://github.com/http2/http2... [github.com]

      The public didn't notice, but I'm sure many people involved in the project did... the commit wasn't in any way obscured. It just wasn't interesting enough for anyone else to notice.

  • So who did it? (Score:5, Interesting)

    by 140Mandak262Jamuna ( 970587 ) on Monday November 30, 2015 @09:03PM (#51031195) Journal
    It should be possible to find out who did the code chage, who approved the change and who merged it.

    One of our coders used a limerick, yes it was the man from Nantucket, as a static string. He used it to test some of the string utility functions he was developing. Forgot to remove it. Eventually a nosy customer found it by running strings on our executable and made a stink about it. (Never explained why they were poking around our executable with strings) It is out of our builds now, but if you do a blame on stingutils.cpp you can still see it and see how long it stayed in production.

    • It should be possible to find out who did the code chage, who approved the change and who merged it.

      There is a link to the commit in TFS. It is worth looking at if only to see the first (and at this time, only) comment to the commit.

    • by epyT-R ( 613989 )

      (Never explained why they were poking around our executable with strings)

      It's on his computer. That gives him the right.

      • by Anonymous Coward

        (Never explained why they were poking around our executable with strings)

        It's on his computer. That gives him the right.

        A person with code in his possession does not automatically give him the right to do whatever he wants with it, anymore than having windows on his computer allows him allows him to disasseble it and reuse it's code, or having a video on his computer gives him the right to edit and republish it.

        That said, there is nothing to stop him from doing whatever he wants with what he has in his possession. Whatever he chooses to do, he may not have the right to do so, and there may be repercussions.

        • by Anonymous Coward

          Disassembling Windows is perfectly legal (at least in my country) and I consider it ludicrous to think otherwise. Code is text. If it's in front of me, I can read it.

        • by allo ( 1728082 )

          It does. But it does not give you the right to redistribute the result (as long as its not fair use) and no right to demand change from the vendor.

      • Agreed - they have the right.

        However, the question was "why were they doing it?", not "were they doing something wrong?"

      • by Dog-Cow ( 21281 )

        The GP never implied the customer didn't have the right.

  • by Anonymous Coward

    and suddenly now we give a fuck?

  • "Each new connection forged by the HTTP/2.0 protocol..."
     
    So is that...
    * forge (verb) 2. To form or create with concerted effort.
    or
    * forge (verb) 4. To create a forgery of; to make a counterfeit item of; to copy or imitate unlawfully.
    ?
     
    https://en.wiktionary.org/wiki/forge

  • Does this apply only to forged connections or also to legit ones?

Promising costs nothing, it's the delivering that kills you.

Working...