HTTP3

The HTTP/2 protocol just rolled out, and Security researchers have only just gotten their teeth into it. But the real people behind the internet have already moved past that and are rolling out the new HTTP/3.

The new HTTP/3 technology gives various performance gains and security benefits, but only if we get over the many deployment issues that lie ahead. An expert dubs the transition to HTTP/3 as an evolutionary rather than revolutionary change to how the web works.

What is HTTP/3?

We’ll kick off by answer this simple question; HTTP/3 is a major revision of the Hypertext Transfer Protocol, commonly known as HTTP (the technology that underpins the transfer of information on the web). This new revision runs over QUIC – and encrypted general-purpose transport protocol that multiplexes multiple data streams on a single connection. Google developed the QUIC. This new protocol puts aside the previous User Datagram Protocol (UDP) and utilizes space congestion control instead.

What is the relationship between HTTP, HTTP/2, and HTTP/3?

As per common descriptions, the HTTP is commonly called ‘HTTP-over-TCP’, and HTTP/2 might be described as ‘HTTP-over-UDP.’ With this in mind, the HTTP/3 might be best described as ‘HTTP/2-over-QUIC’. Google engineer Nick Harper explained in some depth how QUIC and HTTP/3 compare to HTTP/2. He did this during the Black Hat Asia 2020 virtual conference. He argued that the HTTP/3 protocol stack has “equivalent security as HTTP/2”, adding that HTTP/3’s use of QUIC improves performance while QUIC enhances privacy.

“The new HTTP/3 is still very similar to its predecessor, the HTTP/2 when it comes to high-level features, though their implementation differs,” as said by Robin Marx, a Ph.D. researcher specializing in web performance at Hasselt University, Belgium, told The Daily Swig.

What are the positives of the HTTP/3 protocol?

One of the biggest benefits of the HTTP/3 and one of the main reasons for the switch to QUIC; resolving a major problem of HTTP/2, namely ‘head of line blocking. Due to HTTP/2’s parallel nature, its multiplexing is not visible to TCP’s loss recovery mechanisms; a lost or reordered packet causes all active transactions to stall regardless of whether the lost packet impacted a particular transaction or not. With the new QUIC, which provides native multiplexing, lost packets only impact the streams where data has been dropped. Another benefit of the upgrade to HTTP/3 is reducing the latency of poor or lossy internet connections.

The QUIC has been entirely encrypted for the most part. This means that security should also be significantly improved with HTTP/3. This encryption system will turn down the rate of manipulator-in-the-middle (MitM) attacks. At the same time, QUIC also includes other features that help protect against denial of service exploits, according to Marx.

With the combination of cryptography and transport, the QUIC handles handshakes in a way that allows connection to a new server in a single round trip. With this technology implemented, interrupted connections can be quickly resumed, with the client sending encrypted application data on its first flight. The QUIC also uses TLS 1.3 as the building block for its cryptographic handshake.

How well supported is the new protocol?

For a new protocol, the HTTP/3 protocol has succeeded in becoming an internet-draft standard and has multiple implementations. According to the latest figure from W3Techs, Up to 8% of the top 10 million websites support HTTP/3, according to the latest figures. Since December 2019, Google chrome’s stable versions have had non-default support for HTTP/3. The next month, Firefox followed suit.

What advantages will be gained from rolling out HTTP/3?

Anyone who backs this new protocol says that the technology will offer faster website load time and better performance, particularly on loss-prone networks, compared to earlier technologies. Several notable people in the tech industry have spoken up about this;

In one report, A product manager at cloud flare, Achiel van der Mandele, explained that: “Simply put, we believe that HTTP/3 will make the internet better for everyone; the HTTP/3 is the successor to HTTP/2, offering improved performance when loading websites.” “Users of HTTP/3 will benefit from faster connection setup and better performance on low-quality networks with high amounts of packet loss. Both of these improvements ensure that websites load faster and more reliably.”

Robin Marx gave a similar but more cautious report on the benefits of HTTP/3; “Performance should also benefit, though not by that much in practice,” he said. “The head-of-line blocking removal doesn’t matter *that* much for [things like] web page loading.

“Most gains will be from the shorter handshake setup times,” he explained, adding that HTTP/3 and QUIC represent an “evolution, not a revolution”.

“Performance will be better, but not in a super-noticeable way for things like web browsing,” Marx said. “Security should be better and protect against several attack types.”

What challenges lie ahead for deploying HTTP/3?

Notable names have expressed their doubts about how and when the new protocol will roll out completely due to the many challenges that lie ahead. These include getting the technology to work with load balancers and deep packet inspection devices (so-called ‘middleboxes’) and building up browser support.

Rustam Lalkaka, director of product at Cloudflare, listed some of the challenges as:

Software built to support QUIC and HTTP/3 is still new and rapidly evolving. “We’ve been heartened to see strong cross-industry partnerships working well to address interoperability issues as they arise. We expect to continue finding and fixing issues as the standard and various implementations mature.”

Transit providers between networks (or even ISPs) may run middleboxes that have historically been hostile to UDP traffic. “To unlock the full benefits of QUIC and allow all clients to use it, some networks with hostile middleboxes may need to make configuration adjustments.”

Enabling QUIC for many server operators is complicated. “For example, for customers of Cloudflare, enabling HTTP/3 is straightforward: just hit the HTTP/3 toggle on the dashboard, and anyone visiting their site with a compatible browser will access it over the new protocol.”

Client support is still not totally mainstream. “Google Chrome has recently enabled HTTP/3 on QUIC for ~95% of their browsers; we expect other major browser vendors to follow suit now that the HTTP/3 with QUIC IETF standard has entered its final draft. Firefox and Safari have support in earlier stages of maturity.”