HTTP/1.1 must die: the desync endgame
portswigger.net"First, HTTP/1.1 is only simple if you're not proxying."
Which is to say, proxy implementations are complex, not HTTP/1.1
"HTTP/2 is not perfect - it's significantly more complex than HTTP/1, and can be painful to implement."
Which is to say, HTTP/2 is complex
Making life easier for (overly) complex proxy software by introducing a more complex protocol
Sounds great
Increasing complexity will surely lead to "a secure web"
I had heard rumors of this being much worse than I am understanding it. This looks like desync attacks on misconfigured proxies. These misconfigurations are normally assumed benign - which is a problem - but this is nothing all that surprising to me.