Evolution of HTTP(developer.mozilla.org)
developer.mozilla.org
Evolution of HTTP
https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Evolution_of_HTTP
39 コメント
I happen to be watching Steve Sanderson's Why web tech is like this presentation, which has some early history, runs the original TBL projects. Might be fun for some interested in HTTP's (and a lot of other web tech, HTML/CSS/JS's) evolution: https://www.youtube.com/watch?v=3QEoJRjxnxQ
I long while back, there was a book called HTTP: The Definitive Guide. Is there anything like it that is current?
I'm assuming the linked article didnt quite do it for you or...?
The ONLY thing that has been constantly broken for 20 years is HTTPS.
HTTP2+ IS HTTPS.
And it's the opposite of secure.
Use this over HTTP/1.1 instead: https://datatracker.ietf.org/doc/html/rfc2289
HTTP2+ IS HTTPS.
And it's the opposite of secure.
Use this over HTTP/1.1 instead: https://datatracker.ietf.org/doc/html/rfc2289
>The next major version of HTTP, HTTP/3, will use QUIC instead TCP/TLS for the transport layer portion.
What an odd way of phrasing it. It should be, "The next major version of HTTP, HTTP/3, will be QUIC and so drop TCP for UDP and require CA based TLS for every single connection. Regular connections not requiring a third party corporation to approve will be impossible."
What an odd way of phrasing it. It should be, "The next major version of HTTP, HTTP/3, will be QUIC and so drop TCP for UDP and require CA based TLS for every single connection. Regular connections not requiring a third party corporation to approve will be impossible."
> What an odd way of phrasing it. It should be, "The next major version of HTTP, HTTP/3, will be QUIC”
No?
Http/3 is one application of quic, but sits on top of it.
That’s why it has a separate RFC, which explains that:
> While delegating stream lifetime and flow-control issues to QUIC, a binary framing similar to the HTTP/2 framing is used on each stream. Some HTTP/2 features are subsumed by QUIC, while other features are implemented atop QUIC.
While google did design QUIC with HTTP in mind, you can use QUIC for other protocols e.g. Microsoft has shipped SMB on QUIC in Windows Server 2022. MS also supports direct QUIC uses on Xbox Series consoles and has a guide to use MsQuic with the GDK.
No?
Http/3 is one application of quic, but sits on top of it.
That’s why it has a separate RFC, which explains that:
> While delegating stream lifetime and flow-control issues to QUIC, a binary framing similar to the HTTP/2 framing is used on each stream. Some HTTP/2 features are subsumed by QUIC, while other features are implemented atop QUIC.
While google did design QUIC with HTTP in mind, you can use QUIC for other protocols e.g. Microsoft has shipped SMB on QUIC in Windows Server 2022. MS also supports direct QUIC uses on Xbox Series consoles and has a guide to use MsQuic with the GDK.
> MS also supports direct QUIC uses on Xbox Series consoles
This is so fucking ridiculous. Tried writing my first android app a few months ago, and for reasons wanted to do QUIC. I was absolutely sure this was going to be a no-brainer, as Google more or less being the inventor of it, or at least a very strong proponent, must have made quic a first class citizen of Android and its SDK years ago now. I mean, all their apps use it. Imagine how much in disbelief I was when I learned there is nothing available, except a library that wraps Chrome's network engine and let's you use http3 over quic, but not quic directly. You'd have to fiddle with using a 3rd party native lib and some bindings and whatnot, so I just deleted Android studio and went for a walk. Yes I'm still bitter.
This is so fucking ridiculous. Tried writing my first android app a few months ago, and for reasons wanted to do QUIC. I was absolutely sure this was going to be a no-brainer, as Google more or less being the inventor of it, or at least a very strong proponent, must have made quic a first class citizen of Android and its SDK years ago now. I mean, all their apps use it. Imagine how much in disbelief I was when I learned there is nothing available, except a library that wraps Chrome's network engine and let's you use http3 over quic, but not quic directly. You'd have to fiddle with using a 3rd party native lib and some bindings and whatnot, so I just deleted Android studio and went for a walk. Yes I'm still bitter.
If only browsers could read/install third party certificate authorities, then you could do crazy things like serve an internal domain securely via a certificate you generated yourself, assuming the users agree to install your CA - or better yet, you could be an enterprise purchasing computers for your employees with the CA preloaded. Of course, that's not possible right now.
Can one create a CA with a limitation to `*.example.com`?
Or can one install an arbitrary CA and limit it to `*.example.com`?
Or can one install an arbitrary CA and limit it to `*.example.com`?
If you don't care about older software, in particular older Macs, yes, you can proceed as follows:
1. Make CA #1 2. Make CA #2, have CA #1 sign (a certificate for) this CA with a constraint saying it is valid only for DNS names in example.com and nothing else 3. Destroy CA #1 irrevocably 4. Trust CA #1 in your browser or other relying party software 5. You can now use CA #2 to issue with your constraint.
If you care only about specific web browsers, you can modify the browser software (this is practical for Firefox and to some extent Chromium) to alter its built-in trust semantics to give you chosen CA different constraints. Firefox ships with constraints for a handful of CAs which, in Mozilla's opinion, can be afforded such limited trust so you can model your changes on how that works. https://wiki.mozilla.org/CA/Additional_Trust_Changes
1. Make CA #1 2. Make CA #2, have CA #1 sign (a certificate for) this CA with a constraint saying it is valid only for DNS names in example.com and nothing else 3. Destroy CA #1 irrevocably 4. Trust CA #1 in your browser or other relying party software 5. You can now use CA #2 to issue with your constraint.
If you care only about specific web browsers, you can modify the browser software (this is practical for Firefox and to some extent Chromium) to alter its built-in trust semantics to give you chosen CA different constraints. Firefox ships with constraints for a handful of CAs which, in Mozilla's opinion, can be afforded such limited trust so you can model your changes on how that works. https://wiki.mozilla.org/CA/Additional_Trust_Changes
Name constraints allow it, if be happier if I could import a certificate and set my own constraints in the certificate manager - “I trust this for all *.bigcorp.com domains but not for mybank.com”
Name Constraints allow for this.
Just be aware that support in non-browser software is not so widespread and for something which doesn't understand the extension, it's still effectively a global CA if installed
Be that as it may, this still doesn't seem like the big deal that so many people are making it out to be. Support for HTTP/1.1 and HTTP/2 won't be going anywhere fast, so legacy software can keep doing what it's always done, can't it?
HTTP/3 can be for people/applications that value what is has to offer, and can largely be ignored otherwise.
HTTP/3 can be for people/applications that value what is has to offer, and can largely be ignored otherwise.
HTTP/1.1 is the last good HTTP that is designed for a human persons' needs instead of corporate persons needs. It'll be phased out of the megacorp browsers as soon as their services no longer require it. Likely they'll say it's for security reasons. And they won't be wrong (about their use case). They'll just be ignoring humans because human projects don't earn them money.
Note: My post was talking about Name Constraints in TLS certs and not HTTP versions. The edit window is expired so I can no longer clarify there.
Firefox runs its own cert store so you can do precisely this.
I think you missed the sarcasm.
This isn't a change from the status quo. HTTP/2 is in practice only used over TLS.
It’s also commonly used over domain sockets without TLS for gRPC. Practically I’m not sure that QUIC makes a huge amount of different for public services endpoints though, you’re right.
You can make a self-signed CA certificate any time you want, and anything with a browser will let you import it AFAIK. This can be locked down on corporate Windows machines via Group Policy, so this really only affects computers already behind myriad layers of HTTP security layer gunk. You'll just have to access your home streaming server from your phone over the guest Wi-Fi.
You're right about that use case. And the business people are right about their internal use cases. But those are not what I'm talking about.
It effects human people trying to host a generally accessible public website. Since HTTP/3 using QUIC cannot establish a connection to a site without a cert the public cannot access my hypthetical HTTP/3 website unless I get a corporation to continiously approve of it (ie, letsencrypt).
Distributing my self signed CA chain to the browser mechanisms appropriate for it for every random person around the world that would try to load to my website is not realistic.
For now HTTP 1.1 is still supported by all browsers. But it won't be long till it is phased out "for security" when it no longer makes profit-sense for megacorp browsers to support it (ie, none of their services require it). And when that happens it will no longer be possible to host a website without corporation permission. That's bad.
It effects human people trying to host a generally accessible public website. Since HTTP/3 using QUIC cannot establish a connection to a site without a cert the public cannot access my hypthetical HTTP/3 website unless I get a corporation to continiously approve of it (ie, letsencrypt).
Distributing my self signed CA chain to the browser mechanisms appropriate for it for every random person around the world that would try to load to my website is not realistic.
For now HTTP 1.1 is still supported by all browsers. But it won't be long till it is phased out "for security" when it no longer makes profit-sense for megacorp browsers to support it (ie, none of their services require it). And when that happens it will no longer be possible to host a website without corporation permission. That's bad.
[deleted]
[deleted]
or:
"An argument for Gemini."
https://en.wikipedia.org/wiki/Gemini_(protocol)#Design
"An argument for Gemini."
https://en.wikipedia.org/wiki/Gemini_(protocol)#Design
I've tried to drum up my own interest in Gemini, but it feels very NIH.
Given that you can serve plaintext (or barebones HTML) over the Web and that every browser will still happily speak HTTP/1.0 or even HTTP/0.9, I don't understand the draw (other than the nostalgic aesthetic).
Given that you can serve plaintext (or barebones HTML) over the Web and that every browser will still happily speak HTTP/1.0 or even HTTP/0.9, I don't understand the draw (other than the nostalgic aesthetic).
From my understanding, the draw is to “start over” and create a completely new hypertext ecosystem where script-heavy advertising-laden sites just aren't technically possible. Or, at the very least, extremely impractical. It's a moonshot, but I guess that's one of the reasons they called it Gemini, heh.
Yeah, I think a distinction needs to be made between bastardized JS laden applications and documents with embedded rich media. It’s interesting the four bullet points in the link all mention documents but HTTP hasn’t been about documents for a long time.
no JS
no trackers or ads
no need for a CA
it's much easier to create a browser for it, it's in fact something a single developer can do in a weekend project
it's not controlled by any corporation
no trackers or ads
no need for a CA
it's much easier to create a browser for it, it's in fact something a single developer can do in a weekend project
it's not controlled by any corporation
It mostly only solves problems on the consumer side. Only one of these downsides directly affects publishers.
* If you don't want JS, don't use it.
* If you don't want trackers or ads, don't put them in.
* This is the only publisher-touching downside, and LetsEncrypt is an effective mitigation.
* If you want to make a site Lynx-compatible, test it in Lynx.
* The downsides of this are too diffuse to immediately drive demand. Nobody is directly impacted by it.
* If you don't want JS, don't use it.
* If you don't want trackers or ads, don't put them in.
* This is the only publisher-touching downside, and LetsEncrypt is an effective mitigation.
* If you want to make a site Lynx-compatible, test it in Lynx.
* The downsides of this are too diffuse to immediately drive demand. Nobody is directly impacted by it.
> Only one of these downsides directly affects publishers.
on the client side it ensures that JS, ADS, trackers etc won't be there and the client can bet there will be no surprise
Gemini is the equivalent of "make the impossible states impossible"
The best a malevolent publisher can do is look at the logs, because not even the transparent pixel is allowed.
It's worth pointing out that the goal of Gemini is not to replace the WEB and that it it is still possible to publish pure HTML web sites with the same characteristics (but for how long?)
also Gemini has no headers so no cookies, that, depending on the platform, could be out of the control of the publisher.
I am working (slowly) on some Gemini project
Mainly because there is no money involved in it and monetisation is not a thing.
Gemini, for example, makes it really easy to build search engines that actually work and cannot be weaponized against their users
Because the protocol is so limited that it's impossible, or highly impractical, to follow that route (no money also means no incentive)
on the client side it ensures that JS, ADS, trackers etc won't be there and the client can bet there will be no surprise
Gemini is the equivalent of "make the impossible states impossible"
The best a malevolent publisher can do is look at the logs, because not even the transparent pixel is allowed.
It's worth pointing out that the goal of Gemini is not to replace the WEB and that it it is still possible to publish pure HTML web sites with the same characteristics (but for how long?)
also Gemini has no headers so no cookies, that, depending on the platform, could be out of the control of the publisher.
I am working (slowly) on some Gemini project
Mainly because there is no money involved in it and monetisation is not a thing.
Gemini, for example, makes it really easy to build search engines that actually work and cannot be weaponized against their users
Because the protocol is so limited that it's impossible, or highly impractical, to follow that route (no money also means no incentive)
It doesn't do most of the things we use the WWW for.
That's supposed to be the point. Gemini is the techie version of running off into the woods to join an anarcho-primitivist commune or an aescetic monastery.
being limited is one of the selling points of Gemini.
A while back I hammered out an idea I call KyuWeb, which specifies a document-based web using existing standards like HTTP and reinvents as few wheels as possible. I haven't had time/skill to hammer out a complete client implementation yet, but I enjoy hearing feedback from people who have looked over the specification. Have a look and see if it's to your taste: https://github.com/GarrettAlbright/KyuWeb
HTTP/0.9 died long ago. Chromium shows an ERR_INVALID_HTTP_RESPONSE error page, and Firefox renders the response body as preformatted plain text rather than as HTML.
How exactly does linking a Wikipedia page to some minimalist cult's redesign of Gopher present an argument for Gemini?
[deleted]