Is TLS gRPC distinguishable from TLS HTTP2?

Question

Or do they appear identical to a potentially hostile middle-box? Notwithstanding profiling of traffic flows which may out gRPC.

TLS/JA3 fingerprints may also be a problem, but assume they are handled in some way.

Documentation doesn't address this aspect.

Answer 1

gRPC (if we ignore exotic transports) is implemented on top of HTTP/2, so: gRPC is HTTP/2, but not all HTTP/2 is gRPC.

If you need to distinguish whether something is gRPC:

• you can check the content-type
• gRPC in some scenarios (streaming) has the notable rare feature where response data starts before the request has completed (from an intermediary perspective this is important, as it means you need independent read/write loops - you can't just proxy all the request, then proxy all the response)

Answer 2

From the perspective of a middle box, I believe a generic TLS record that holds gRPC should be indistinguishable from a generic TLS record that holds some other HTTP2 traffic. That said, if the middle box profiles how the TLS handshake is negotiated (especially when versions < 1.3 are used), the middle box may be able to guess that gRPC is being used under the TLS layer.