The Entire Internet is Broken: Ethical Hacking Expert John Hammond Meets James Kettle

In a groundbreaking collaboration, ethical hacking expert John Hammond and world-renowned security researcher James Kettle joined forces to explore the alarming state of web security. In this exclusive video, Hammond and Kettle delve into Kettle's latest research on HTTP/1.1 Must Die, a cutting-edge study that reveals the inherent insecurity of the protocol.

"The entire internet is broken," says Kettle, emphasizing the gravity of the situation. "Upstream HTTP/1.1 exposes millions of websites to hostile takeover." Despite vendors' efforts to mitigate these vulnerabilities over the past six years, researchers have consistently found ways to bypass them. PortSwigger's latest research sheds new light on this issue, introducing new classes of HTTP desync attacks and demonstrating critical vulnerabilities affecting tens of millions of websites, including core infrastructure within major CDNs.

A Live Demo of the Threat

During the live demo, Kettle shows how attackers exploit fundamental protocol flaws to devastating effect. The demonstration highlights the critical vulnerabilities in HTTP/1.1, which allows attackers to create dangerous ambiguity about where one request ends and the next begins. This ambiguity makes it possible for attackers to manipulate requests, inject malicious payloads, and compromise entire websites.

By contrast, HTTP/2 eliminates this ambiguity, making desync attacks virtually impossible—provided it's used not only at the edge, but also for the upstream connection between reverse proxies and origin servers," Kettle explains. This means that if web developers upgrade to HTTP/2 and implement proper security measures, they can significantly reduce the risk of desync attacks.

What Can You Do?

So, what's next? The answer is clear: it's time to act. Joining the mission to kill HTTP/1.1 requires a collective effort from security testers, bug bounty hunters, and AppSec professionals. Hammond and Kettle invite you to join the official PortSwigger Discord server, where thousands of like-minded individuals are already discussing ways to tackle this issue.

By working together, we can create a safer internet," says Hammond. "It's time to take action and start killing HTTP/1.1 across our applications." Don't miss your chance to be part of this critical effort. Join the PortSwigger Discord server today and join the conversation on how to protect our online world from these devastating attacks.