## Monday, November 30, 2015

### The secret message hidden in every HTTP/2 connection

If you spy on an HTTP/2 connection starting up you'll notice that it sends an almost-but-not-quite valid HTTP request at the very start of the connection. Like this:

Written a little more clearly that's:

    PRI * HTTP2.0

SM


The HTTP verb is PRI and the body contains just SM. Put them together and you get... PRISM. This occurs right at the start of the connection to ensure that the server really supports HTTP/2.0. It is detailed in Section 3.5 of RFC7540 as follows:

   In HTTP/2, each endpoint is required to send a connection preface as
a final confirmation of the protocol in use and to establish the
initial settings for the HTTP/2 connection.  The client and server
each send a different connection preface.

The client connection preface starts with a sequence of 24 octets,
which in hex notation is:

0x505249202a20485454502f322e300d0a0d0a534d0d0a0d0a

That is, the connection preface starts with the string "PRI *
HTTP/2.0\r\n\r\nSM\r\n\r\n").


I tried to find an explanation of the specific letters used and why they spell PRISM. After a bit of spelunking the following comes to light.

May 29, 2013
IETF draft-ietf-httpbis-http2-03 describes this connection mechanism and indicates that the string to send is FOO * HTTP/2.0\r\n\r\nBA\r\n\r\n.

July 8, 2013
IETF draft-ietf-httpbis-http2-04 changes the string to PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n.

Strange.

I wonder what happened between May 29, 2013 and July 8, 2013? Could it be "U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program"?

Thanks to this comment on Hacker News here's the actual commit that introduced this change. On June 14, 2013 the string was changed with the comment "Exercising editorial discretion regarding magic."

If you enjoyed this blog post, you might enjoy my travel book for people interested in science and technology: The Geek Atlas. Signed copies of The Geek Atlas are available.