Security researchers have only just gotten their teeth into HTTP/2, but the movers and shakers of the web are already spinning out an update: HTTP/3.
The technology offers performance gains and security benefits, but only if we get over the many deployment issues that lie ahead for what one expert tells us is best considered as an evolutionary rather than revolutionary change to how the web works.
What is HTTP/3?
HTTP/3 is a major revision of the Hypertext Transfer Protocol (HTTP), the technology that underpins the transfer of information on the web.
HTTP/3 runs over QUIC – an encrypted general-purpose transport protocol that multiplexes multiple streams of data on a single connection.
QUIC was initially developed by Google. The protocol utilizes space congestion control over User Datagram Protocol (UDP).
What is the relationship between HTTP, HTTP/2, and HTTP/3?
While HTTP is really ‘HTTP-over-TCP’ and HTTP/2 might be described as ‘HTTP-over-TCP’ then HTTP/3 might be best described as ‘HTTP/2-over-QUIC’.
During the Black Hat Asia 2020 virtual conference, Google engineer Nick Harper explained in some depth how QUIC and HTTP/3 compare to HTTP/2.
RELATED Black Hat Asia: Need for global security perspectives underlined at virtual event
Harper argued that the HTTP/3 protocol stack has “equivalent security as HTTP/2”, adding that HTTP/3’s use of QUIC improves performance while QUIC enhances privacy.
HTTP/3 is largely similar to HTTP/2 in high-level features, though their implementation differs, Robin Marx, a PhD researcher specializing in web performance at Hasselt University, Belgium, told The Daily Swig.
HTTP/3 might be best described as ‘HTTP/2-over-QUIC’
What are the benefits of the HTTP/3 protocol?
The switch to QUIC goes a long way towards resolving a major problem of HTTP/2, namely ‘head of line blocking’.
Because the parallel nature of HTTP/2’s multiplexing is not visible to TCP’s loss recovery mechanisms, a lost or reordered packet causes all active transactions to stall regardless of whether a particular transaction was impacted by the lost packet or not.
Since QUIC provides native multiplexing, lost packets only impact the streams where data has been dropped.
The practical effect of the upgrade to HTTP/3 is to reduce the latency of poor or lossy internet connections.
RECOMMENDED Coronavirus: How to work from home securely during a period of isolation
QUIC is almost entirely encrypted, meaning security should also be significantly improved with HTTP/3.
This built-in encryption means fewer opportunities for manipulator-in-the-middle (MitM) attacks, while QUIC also includes other features that help protect against denial of service exploits, according to Marx.
QUIC combines its cryptographic and transport handshakes in a way that allows connection to a new server in a single round trip. The same technology allows an interrupted connection to be quickly resumed, with the client sending encrypted application data in its first flight.
QUIC uses TLS 1.3 as the building blocks for its cryptographic handshake.
How well supported is HTTP/3?
As of October 2020, the HTTP/3 protocol is an internet draft standard and has multiple implementations.
Nearly 8% of the top 10 million websites support HTTP/3, according to the latest figures from W3Techs.
HTTP/3 has non-default support in stable versions of the Chrome (since December 2019) and Firefox (since January 2020) browsers.
What advantages will be gained from rolling out HTTP/3?
Backers of HTTP/3 reckon that the technology will offer faster website load time and better performance, particularly on loss-prone networks, compared to earlier technologies.
Achiel van der Mandele, product manager at Cloudflare, explained: “Simply put, we believe that HTTP/3 will make the internet better for everyone. HTTP/3 is the successor to HTTP/2, offering improved performance when loading websites.
“Users of HTTP/3 will benefit from faster connection setup and better performance on low-quality networks with high amounts of packet loss. Both of these improvements ensure that websites load faster and more reliably,” Mandele told The Daily Swig.
Marx was more cautious in talking up the benefits of HTTP/3.
“Performance should also benefit, though not by that much in practice,” he said. “The head-of-line blocking removal doesn’t matter *that* much for [things like] web page loading.
“Most gains will be from the shorter handshake setup times,” he explained, adding that HTTP/3 and QUIC represent an “evolution, not a revolution”.
“Performance will be better, but not in a super-noticeable way for things like web browsing,” Marx said. “Security should be better and protect against several attack types.”
HTTP/3 is said to offer faster website loading time and better performance
What challenges lie ahead for deploying HTTP/3?
Rustam Lalkaka, director of product at Cloudflare, offered The Daily Swig a list of obstacles to be overcome in deploying HTTP/3. This includes getting the technology to work with load balancers and deep packet inspection devices (so called ‘middleboxes’), as well as building up browser support:
- Software built to support QUIC and HTTP/3 is still new and rapidly evolving. “We’ve been heartened to see strong cross-industry partnerships working well to address interoperability issues as they arise. We expect to continue finding and fixing issues as the standard and various implementations mature.”
- Transit providers between networks (or in some cases even ISPs) may run middleboxes that have historically been hostile to UDP traffic. “To unlock the full benefits of QUIC and allow all clients to use it, some networks with hostile middleboxes may need to make configuration adjustments.”
- Enabling QUIC for many server operators is complicated. “For example, for customers of Cloudflare, enabling HTTP/3 is straightforward: just hit the HTTP/3 toggle on the dashboard and anyone visiting their site with a compatible browser will access it over the new protocol.”
- Client support is still not totally mainstream. “Google Chrome has recently enabled HTTP/3 on QUIC for ~95% of their browsers; we expect other major browser vendors to follow suit now that the HTTP/3 with QUIC IETF standard has entered its final draft. Firefox and Safari have support in earlier stages of maturity.”
Cloudflare explained how it was preparing for HTTP/3 in a detailed technical blog post that serves as a good introduction to the technology.
Marx added that some networks will “consciously block QUIC because firewalls” can, for example, no longer track connection setup or QUIC transport header information.
“Packet numbers, acknowledgements, options... are all encrypted in QUIC,” Marx explained. “QUIC only works when encrypted and browsers currently don't work too well with self-signed certificates or ‘in-house’ root certificates.”
Load balancers need to be adjusted to deal with QUIC’s connection IDs and connection migration features.
Advanced features like 0-RTT (round trip time) have a strong security aspect, involving the creation of Session Ticket Encryption keys and protection against replay attacks, Marx added.
When will QUIC and HTTP/3 become mainstream technologies?
QUIC discovery is complex, since HTTP/2 connections cannot simply be upgraded to QUIC the same way HTTP/1.1 is upgraded to HTTP/2. This is because QUIC runs over UDP and not TCP.
Given this implementation barrier, Marx said that over the next few years HTTP/3 is “probably something you get when using a content delivery network or external service provider, not something you’ll be setting up on your own servers (for most people)”.
A conference talk and related blog post by Marx on preparing for HTTP/3-over-QUIC, delivered at the O’Reilly Velocity Berlin conference last year, discusses many of the practical issues ahead in deploying the technology.
Marx concluded: “QUIC is still a very powerful protocol and many of the performance gains will come down the line as the protocol is much easier than TCP to evolve/tweak and new best practices will emerge.
“Still, it is highly complex, and it will take time for the wider community to really understand how it works and how to use it.”
YOU MIGHT ALSO LIKE HTTP/2 pinged by DDoS vulnerabilities