{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,21]],"date-time":"2025-11-21T15:56:17Z","timestamp":1763740577965,"version":"3.45.0"},"publisher-location":"New York, NY, USA","reference-count":48,"publisher":"ACM","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,10,28]]},"DOI":"10.1145\/3730567.3764447","type":"proceedings-article","created":{"date-parts":[[2025,11,21]],"date-time":"2025-11-21T15:22:38Z","timestamp":1763738558000},"page":"258-273","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["The Developer, the RFC, and the Middlebox: An HTTP\/2 Compliance Story"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-3523-1938","authenticated-orcid":false,"given":"Mahmoud","family":"Attia","sequence":"first","affiliation":[{"name":"KAUST, Thuwal, Saudi Arabia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0694-6767","authenticated-orcid":false,"given":"Ilies","family":"Benhabbour","sequence":"additional","affiliation":[{"name":"KAUST, Thuwal, Saudi Arabia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3206-2030","authenticated-orcid":false,"given":"Marc","family":"Dacier","sequence":"additional","affiliation":[{"name":"KAUST, Thuwal, Saudi Arabia"}]}],"member":"320","published-online":{"date-parts":[[2025,11,21]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Paul Adamczyk Munawar Hafiz and Ralph E Johnson. 2008. Non-compliant and proud: A case study of HTTP compliance. https:\/\/www.ideals.illinois.edu\/items\/11454. [Accessed: 26-Sep-2024]."},{"key":"e_1_3_2_1_2_1","doi-asserted-by":"publisher","unstructured":"Mike Belshe Roberto Peon and Martin Thomson. 2015. Hypertext Transfer Protocol Version 2 (HTTP\/2). RFC 7540. doi:10.17487\/RFC7540","DOI":"10.17487\/RFC7540"},{"key":"e_1_3_2_1_3_1","unstructured":"Mike Belshe Roberto Peon Martin Thomson and Alexey Melnikov. 2012. SPDY Protocol. Internet-Draft draft-ietf-httpbis-http2-00. Internet Engineering Task Force. https:\/\/datatracker.ietf.org\/doc\/draft-ietf-httpbis-http2\/00\/ Work in Progress."},{"key":"e_1_3_2_1_4_1","unstructured":"Cory Benfield. 2025. GitHub - python-hyper\/h2: Pure-Python HTTP\/2 protocol implementation -- github.com. https:\/\/github.com\/python-hyper\/h2. [Accessed 04-05-2025]."},{"key":"e_1_3_2_1_5_1","volume-title":"Middleboxes: Identifying Where the Rules Actually Break Down. In International Conference on Passive and Active Network Measurement. Springer-Verlag","author":"Benhabbour Ilies","year":"2025","unstructured":"Ilies Benhabbour, Mahmoud Attia, and Marc Dacier. 2025. HTTP Conformance vs. Middleboxes: Identifying Where the Rules Actually Break Down. In International Conference on Passive and Active Network Measurement. Springer-Verlag, Berlin, Heidelberg, 155\u2013181."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.5604\/01.3001.0016.1461"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/3716372"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","unstructured":"Mike Bishop. 2022. HTTP\/3. RFC 9114. doi:10.17487\/RFC9114","DOI":"10.17487\/RFC9114"},{"key":"e_1_3_2_1_9_1","first-page":"3345","volume-title":"Weaponizing Middleboxes for TCP Reflected Amplification. In 30th USENIX Security Symposium (USENIX Security 21)","author":"Bock Kevin","year":"2021","unstructured":"Kevin Bock, Abdulrahman Alaraj, Yair Fax, Kyle Hurley, Eric Wustrow, and Dave Levin. 2021. Weaponizing Middleboxes for TCP Reflected Amplification. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, Vancouver, B.C., Canada, 3345-3361. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/bock"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","unstructured":"Scott O. Bradner. 1997. Key words for use in RFCs to Indicate Requirement Levels. RFC 2119. doi:10.17487\/RFC2119","DOI":"10.17487\/RFC2119"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.17487\/RFC3234"},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978394"},{"key":"e_1_3_2_1_13_1","unstructured":"Akamai Cloud. 2021. Acceptable Use Policy -- linode.com. https:\/\/www.linode.com\/legal-aup\/. [Accessed 30-04-2025]."},{"key":"e_1_3_2_1_14_1","unstructured":"Piotr Duszynski. 2019. GitHub - drk1wi\/Modlishka: Modlishka. Reverse Proxy. -- github.com. https:\/\/github.com\/drk1wi\/Modlishka."},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","unstructured":"Roy T. Fielding Mark Nottingham and Julian Reschke. 2014. Hypertext Transfer Protocol (HTTP\/1.1): Caching. RFC 7234. doi:10.17487\/RFC7234","DOI":"10.17487\/RFC7234"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","unstructured":"Roy T. Fielding Mark Nottingham and Julian Reschke. 2022. HTTP Semantics. RFC 9110. doi:10.17487\/RFC9110","DOI":"10.17487\/RFC9110"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2018.2812641"},{"key":"e_1_3_2_1_18_1","unstructured":"Omer Gil. 2017. Web cache deception attack. https:\/\/www.blackhat.com\/docs\/us-17\/wednesday\/us-17-Gil-Web-Cache-Deception-Attack-wp.pdf [Accessed: 26-Sep-2024]."},{"key":"e_1_3_2_1_19_1","unstructured":"Kuba Gretzky. 2024. GitHub - kgretzky\/evilginx2: Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies allowing for the bypass of 2-factor authentication -- github.com. https:\/\/github.com\/kgretzky\/evilginx2."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/2534706.2534721"},{"key":"e_1_3_2_1_21_1","unstructured":"Ronen Heled. 2005. HTTP REQUEST SMUGGLING. https:\/\/www.cgisecurity.com\/lib\/HTTP-Request-Smuggling.pdf [Accessed: 26-Sep-2024]."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/2068816.2068834"},{"key":"e_1_3_2_1_23_1","unstructured":"Moto Ishizawa. 2020. GitHub - summerwind\/h2spec: A conformance testing tool for HTTP\/2 implementation. -- github.com. https:\/\/github.com\/summerwind\/h2spec. [Accessed 15-09-2024]."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3678890.3678904"},{"key":"e_1_3_2_1_25_1","first-page":"1061","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Jabiyev Bahruz","year":"2022","unstructured":"Bahruz Jabiyev, Steven Sprecher, Anthony Gavazzi, Tommaso Innocenti, Kaan Onarlioglu, and Engin Kirda. 2022. FRAMESHIFTER: Security Implications of HTTP\/2-to-HTTP\/1 Conversion Anomalies. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 1061-1075. https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/jabiyev"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3485384"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","unstructured":"Ben Kallus Prashant Anantharaman Michael Locasto and Sean Smith. 2024. The HTTP Garden: Discovering Parsing Vulnerabilities in HTTP\/1.1 Implementations by Differential Fuzzing of Request Streams. doi:10.48550\/arXiv.2405.17737","DOI":"10.48550\/arXiv.2405.17737"},{"key":"e_1_3_2_1_28_1","unstructured":"James Kettle. 2019. HTTP Desync Attacks: Request Smuggling Reborn -- portswigger.net. https:\/\/portswigger.net\/research\/http-desync-attacks-request-smuggling-reborn. [Accessed 10-03-2024]."},{"key":"e_1_3_2_1_29_1","unstructured":"James Kettle. 2021. HTTP\/2: The Sequel is Always Worse -- portswigger.net. https:\/\/portswigger.net\/research\/http2. [Accessed 25-07-2024]."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484765"},{"key":"e_1_3_2_1_31_1","unstructured":"Vlad Krasnov. 2016. HPACK: the silent killer (feature) of HTTP\/2 -- blog.cloudflare.com. https:\/\/blog.cloudflare.com\/hpack-the-silent-killer-feature-of-http-2\/. [Accessed 02-05-2025]."},{"key":"e_1_3_2_1_32_1","volume-title":"Proceedings of the 3rd Conference on USENIX Symposium on Internet Technologies and Systems -","volume":"3","author":"Krishnamurthy Balachander","year":"2001","unstructured":"Balachander Krishnamurthy and Martin Arlitt. 2001. PRO-COW: Protocol compliance on the web-a longitudinal study. In Proceedings of the 3rd Conference on USENIX Symposium on Internet Technologies and Systems - Volume 3 (San Francisco, California) (USITS'01). USENIX Association, USA, 10."},{"key":"e_1_3_2_1_33_1","first-page":"665","volume-title":"Cached and Confused: Web Cache Deception in the Wild. In 29th USENIX Security Symposium (USENIX Security 20)","author":"Mirheidari Seyed Ali","year":"2020","unstructured":"Seyed Ali Mirheidari, Sajjad Arshad, Kaan Onarlioglu, Bruno Crispo, Engin Kirda, and William Robertson. 2020. Cached and Confused: Web Cache Deception in the Wild. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, Boston, MA, USA, 665-682. https:\/\/www.usenix.org\/conference\/usenixsecurity20\/presentation\/mirheidari"},{"key":"e_1_3_2_1_34_1","first-page":"179","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Mirheidari Seyed Ali","year":"2022","unstructured":"Seyed Ali Mirheidari, Matteo Golinelli, Kaan Onarlioglu, Engin Kirda, and Bruno Crispo. 2022. Web Cache Deception Escalates!. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 179-196. https:\/\/www.usenix.org\/conference\/usenixsecurity22\/presentation\/mirheidari"},{"key":"e_1_3_2_1_35_1","unstructured":"mitmproxy. 2025. mitmproxy - an interactive HTTPS proxy -- mitmproxy.org. https:\/\/mitmproxy.org\/. [Accessed 02-05-2025]."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3297280.3297526"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3240431.3240443"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"publisher","DOI":"10.17487\/RFC7541"},{"key":"e_1_3_2_1_39_1","unstructured":"Cloudflare Radar. 2024a. Adoption & Usage. https:\/\/radar.cloudflare.com\/adoption-and-usage. [Accessed 19-11-2024]."},{"key":"e_1_3_2_1_40_1","unstructured":"Cloudflare Radar. 2024b. Overview. https:\/\/radar.cloudflare.com\/. [Accessed 19-11-2024]."},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1145\/3634737.3637678"},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/357401.357402"},{"key":"e_1_3_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/DSN53405.2022.00014"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417883"},{"key":"e_1_3_2_1_45_1","doi-asserted-by":"publisher","unstructured":"Martin Thomson and Cory Benfield. 2022. HTTP\/2. RFC 9113. doi:10.17487\/RFC9113","DOI":"10.17487\/RFC9113"},{"key":"e_1_3_2_1_46_1","unstructured":"Giuseppe Trotta. 2024. GitHub - muraenateam\/muraena: Muraena is an almost-transparent reverse proxy aimed at automating phishing and post-phishing activities. -- github.com. https:\/\/github.com\/muraenateam\/muraena."},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"crossref","first-page":"166","DOI":"10.1109\/MNET.2017.1700060","article-title":"Toward secure outsourced middlebox services: Practices, challenges, and beyond","volume":"32","author":"Wang Cong","year":"2017","unstructured":"Cong Wang, Xingliang Yuan, Yong Cui, and Kui Ren. 2017. Toward secure outsourced middlebox services: Practices, challenges, and beyond. IEEE Network, Vol. 32, 1 (2017), 166-171.","journal-title":"IEEE Network"},{"key":"e_1_3_2_1_48_1","volume-title":"Factory: HTTP Compliance and W3C QA. https:\/\/www.w3.org\/2001\/01\/qa-ws\/pp\/alex-rousskov-measfact. [Accessed: 24-Jul-2024].","author":"World Wide Web Consortium (W3C).","year":"2001","unstructured":"World Wide Web Consortium (W3C). 2001. Factory: HTTP Compliance and W3C QA. https:\/\/www.w3.org\/2001\/01\/qa-ws\/pp\/alex-rousskov-measfact. [Accessed: 24-Jul-2024]."}],"event":{"name":"IMC '25:ACM Internet Measurement Conference","location":"Madison WI USA","sponsor":["SIGMETRICS ACM Special Interest Group on Measurement and Evaluation","SIGCOMM ACM Special Interest Group on Data Communication"]},"container-title":["Proceedings of the 2025 ACM Internet Measurement Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3730567.3764447","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,11,21]],"date-time":"2025-11-21T15:29:33Z","timestamp":1763738973000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3730567.3764447"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,28]]},"references-count":48,"alternative-id":["10.1145\/3730567.3764447","10.1145\/3730567"],"URL":"https:\/\/doi.org\/10.1145\/3730567.3764447","relation":{},"subject":[],"published":{"date-parts":[[2025,10,28]]},"assertion":[{"value":"2025-11-21","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}