PortSwigger Research Declares 'HTTP/1.1 Must Die' After Uncovering Novel Desync Attacks Affecting Akamai, Cloudflare, and Netlify
PortSwigger Research reveals new HTTP desync attack classes that compromised core infrastructure at Akamai, Cloudflare, and Netlify, arguing the protocol is fundamentally broken and must be replaced.
PortSwigger Research has published a landmark paper titled "HTTP/1.1 must die: the desync endgame," arguing that the decades-old protocol is inherently insecure and that six years of mitigations have only hidden, not fixed, the underlying flaw. The research introduces several novel classes of HTTP desync attacks capable of mass credential compromise, demonstrated through critical vulnerabilities that exposed tens of millions of websites by subverting core infrastructure within Akamai, Cloudflare, and Netlify.
The core problem, as explained by researcher James Kettle, lies in HTTP/1.1's weak request boundaries. Requests are simply concatenated on TCP/TLS sockets with no delimiters, and multiple methods exist to specify message length—Content-Length, Transfer-Encoding, implicit-zero, and HTTP/2's built-in length. Attackers can exploit parser discrepancies between front-end proxies and back-end servers to cause a desync, injecting malicious prefixes into other users' requests and achieving complete site takeover.
Despite widespread adoption of HTTP/2, the paper reveals that many servers and CDNs downgrade incoming HTTP/2 requests to HTTP/1.1 for back-end transmission, losing most security benefits. This downgrading introduces a fourth length interpretation, making attacks even more dangerous. The research demonstrates that modern WAFs and parser tightening have made classic attacks harder to detect but have not eliminated the threat—they've merely driven attackers to develop more sophisticated techniques.
Kettle introduces an open-source toolkit enabling systematic detection of parser discrepancies and target-specific weak spots. Combined with the novel attack classes, this toolkit yielded over $200,000 in bug bounties in just two weeks. The paper details case studies including 0.CL desync attacks via obfuscated Expect headers against T-Mobile, GitLab, Netlify CDN, and Akamai CDN, demonstrating that even major infrastructure providers remain vulnerable.
The research argues that HTTP request smuggling must be recognized as a fundamental protocol flaw rather than a series of implementation bugs. "The past six years have demonstrated that addressing individual implementation issues will never eliminate this threat," Kettle writes. "HTTP/2+ solves this threat. If we want a secure web, HTTP/1.1 must die."
All findings have been reported and patched by the affected vendors, but the researcher warns that websites remain silently vulnerable to inevitable future variants. The paper concludes with recommendations for defenders, including migrating to end-to-end HTTP/2 or HTTP/3, avoiding protocol downgrading, and implementing strict parser validation for any remaining HTTP/1.1 connections.
The full whitepaper, presentation slides, and a broader-audience FAQ are available at http1mustdie.com, along with the DEFCON talk recording.