HTTP/2 and HTTP/3 explained(alexandrehtrb.github.io)
alexandrehtrb.github.io
HTTP/2 and HTTP/3 explained
https://alexandrehtrb.github.io/posts/2024/03/http2-and-http3-explained/
152 comments
I find it difficult to believe that the team that built the prototype for http/2 (SPDY), implemented it for chrome, tested it on gazillions of customers around the world, wasn't bothered to talk to anyone who did networking.
Sure you can argue that the tradeoffs they selected were the wrong tradeoffs and that they may have been biased by their narrow domain specific goals (reducing latency to render an average web page). Perhaps they thought that people with really horrible packet loss will just fallback to http or use amp or whatever.
But I cannot believe that the mistakes were caused by them just not being aware of how networks work or, worse, failing to talk with somebody that did
Sure you can argue that the tradeoffs they selected were the wrong tradeoffs and that they may have been biased by their narrow domain specific goals (reducing latency to render an average web page). Perhaps they thought that people with really horrible packet loss will just fallback to http or use amp or whatever.
But I cannot believe that the mistakes were caused by them just not being aware of how networks work or, worse, failing to talk with somebody that did
SPDY's header compression allowed cookies to be easily leaked. This vulnerability was well known at the time so had they even asked an intern at Google Zero to look at it they would have been immediately schooled.
https://bugzilla.mozilla.org/show_bug.cgi?id=779413
In their performance tests vs HTTP 1.1 the team simulated loading many top websites, but presumably by accident used a single TCP connection for SPDY across the entire test suite (this was visible in their screenshots of Chrome's network panel, no connection time for SPDY).
They also never tested SPDY against pipelining - but Microsoft did and found pipelining performed the same. SPDY's benefit was merely a cleaner, less messy equivalent of pipelining.
So I think it's fair to say these developers were not the best Google had to offer.
https://bugzilla.mozilla.org/show_bug.cgi?id=779413
In their performance tests vs HTTP 1.1 the team simulated loading many top websites, but presumably by accident used a single TCP connection for SPDY across the entire test suite (this was visible in their screenshots of Chrome's network panel, no connection time for SPDY).
They also never tested SPDY against pipelining - but Microsoft did and found pipelining performed the same. SPDY's benefit was merely a cleaner, less messy equivalent of pipelining.
So I think it's fair to say these developers were not the best Google had to offer.
another explanation - they did test it in other scenarios but the results were against their hopes so they 'accidentally' omitted such tests in the 'official' test suite. Very common tactic, you massage your data until you get what you want.
> But I cannot believe that the mistakes were caused by them just not being aware of how networks work or, worse, failing to talk with somebody that did
As someone who was part of the rollout of HTTP2 for a $large_website, I can confirm that "this will harm mobile performance" was outright and flatly rejected. This included people who were our reps on the w3c. I just had to sit there and wait for the real world metrics to come in
"multiplexing will remove bottlenecks!"
"benchmarks prove that its faster!"
"you just don't understand how TCP works"
"the people at google are very smart, what do you know?"
"server push will reduce latency"
etc etc etc.
We even had the graphs of page size over time (going ever up) and average usable bandwidth (not keeping up, especially on mobile) None of that mattered until the rollout had a real world effect on our performance.
As someone who was part of the rollout of HTTP2 for a $large_website, I can confirm that "this will harm mobile performance" was outright and flatly rejected. This included people who were our reps on the w3c. I just had to sit there and wait for the real world metrics to come in
"multiplexing will remove bottlenecks!"
"benchmarks prove that its faster!"
"you just don't understand how TCP works"
"the people at google are very smart, what do you know?"
"server push will reduce latency"
etc etc etc.
We even had the graphs of page size over time (going ever up) and average usable bandwidth (not keeping up, especially on mobile) None of that mattered until the rollout had a real world effect on our performance.
So what was that real world effect?
5-25% increase in loadtime (median), which caused a drop off in ongoing activity. Users also complained.
It doesn't matter. You can provide the numbers when asked by the proponents of HTTP2/3 'do you have proof of your claim??', they will just turn around and say your real world data is not valid or that they need peer-reviewed article in Science.
> (...) they will just turn around and say your real world data is not valid or that they need peer-reviewed article in Science.
This sounds like a bullshit conspiratorial excuse. If you have real world data and you aren't afraid of having peers looking through it, nothing prevents you from presenting it to peers.
So where is that data?
Instead, you just have vague unsupported unbelievable claims made by random people in the internet, as if that's any way to decide over policy, and any faint doubt raised over that claim is faced with conspiratorial remarks complemented by statements on how everyone around OP is incompetent except him.
I will go as far as to claim OP's assertion is unbelievable, to the point of sounding like bullshit. It's entirely unbelievable that people designing protocols for a multinational corporation whose bread and butter is stuff done over TCP connections were oblivious to how TCP works, and the most incompetent of them would bother to design the first major revision of HTTP. Unbelievable.
But hey, some random guy online said something, so it must be true!
This sounds like a bullshit conspiratorial excuse. If you have real world data and you aren't afraid of having peers looking through it, nothing prevents you from presenting it to peers.
So where is that data?
Instead, you just have vague unsupported unbelievable claims made by random people in the internet, as if that's any way to decide over policy, and any faint doubt raised over that claim is faced with conspiratorial remarks complemented by statements on how everyone around OP is incompetent except him.
I will go as far as to claim OP's assertion is unbelievable, to the point of sounding like bullshit. It's entirely unbelievable that people designing protocols for a multinational corporation whose bread and butter is stuff done over TCP connections were oblivious to how TCP works, and the most incompetent of them would bother to design the first major revision of HTTP. Unbelievable.
But hey, some random guy online said something, so it must be true!
I should have made clear that this is mobile performance. Desktop performance was broadly good
pi-e-sigma(1)
Seeing early QUIC development not account for the DDoS potential of choosing UDP makes it pretty clear that networking is not top-of-mind.
Are you saying there's ddos potential because UDP itself doesn't have a connection handshake? There's still one on top of UDP. The initial packet could be forged, but so could one from TCP (a SYN flood).
SYN flood cookies are probably older than me at this point
pi-e-sigma(2)
HTTP/1.1 (RFC2616) specified a limit of two connections per server, which most browsers initially interpreted to mean per-origin, which still lead to quite a lot of unnecessary blocking. I think browsers eventually decided to increase that to 6, but as evidenced by viewing the "Network" tab of the Developer Tools on a lot of modern pages, it is in fact not very uncommon anymore to have a substantially larger number of resources per origin.
While it's true that HTTP/2 can be worse than HTTP/1.1, I don't think it usually is; it's pretty easy to demonstrate just how much better HTTP/2 is over a typical Internet connection. SPDY and HTTP/2 were clearly better and rarely worse, whereas HTTP/3 is almost never worse (maybe when interplay with TCP rate control is poor?) On very unreliable and very high latency connections it can definitely go the other way, but statistically my experience is that a large majority of cases see an improvement on plain-old HTTP/2.
That said, for all of the complexity HTTP/2 adds, it is kind of a nice protocol. I like that all of the "special" parts of the HTTP/1.1 request and response were just turned into header fields. HPACK is a minor pain in the ass, but it is pretty efficient. You get multiple concurrent bidirectional streams per connection and they can each send headers/trailers. There's even the MASQUE protocol, which enables unreliable datagrams with HTTP/3. Put together this makes HTTP/2 and HTTP/3 amazingly versatile protocols that you can really use for all kinds of shit, which makes sense given the legacy of HTTP/1.1.
There are some pitfalls even still. For example, all of this added complexity has made life a bit harder for load balancing and middleboxes. TCP level load balancing or round robin is basically defeated by using HTTP/2 multiplexing, without the client being explicitly cautious of this.
While it's true that HTTP/2 can be worse than HTTP/1.1, I don't think it usually is; it's pretty easy to demonstrate just how much better HTTP/2 is over a typical Internet connection. SPDY and HTTP/2 were clearly better and rarely worse, whereas HTTP/3 is almost never worse (maybe when interplay with TCP rate control is poor?) On very unreliable and very high latency connections it can definitely go the other way, but statistically my experience is that a large majority of cases see an improvement on plain-old HTTP/2.
That said, for all of the complexity HTTP/2 adds, it is kind of a nice protocol. I like that all of the "special" parts of the HTTP/1.1 request and response were just turned into header fields. HPACK is a minor pain in the ass, but it is pretty efficient. You get multiple concurrent bidirectional streams per connection and they can each send headers/trailers. There's even the MASQUE protocol, which enables unreliable datagrams with HTTP/3. Put together this makes HTTP/2 and HTTP/3 amazingly versatile protocols that you can really use for all kinds of shit, which makes sense given the legacy of HTTP/1.1.
There are some pitfalls even still. For example, all of this added complexity has made life a bit harder for load balancing and middleboxes. TCP level load balancing or round robin is basically defeated by using HTTP/2 multiplexing, without the client being explicitly cautious of this.
This limit is completely artificial. Let's limit HTTP/2 to maximum 6 multiplexed streams per connection and see how it fares with HTTP1.1 with 6 TCP connections to the server. All of sudden HTTP1.1 wins :)
Have you got any data to backup that claim?
It’s also a specious argument anyway. The six connection limit isn’t purely artificial, opening and tracking TCP connection state is expensive, and happens entirely in the kernel. There’s a very real cap on how many TCP connections a machine can serve before the kernel starts barfing, and that cap is substantially lower than the number of multiplexed streams you can push over a single TCP connection.
You’re also completely ignoring TCP slow start process, which you can bet your bottom dollar will prevent six TCP streams beating six multiplexed streams over a single TCP stream when measuring latency from first connection.
It’s also a specious argument anyway. The six connection limit isn’t purely artificial, opening and tracking TCP connection state is expensive, and happens entirely in the kernel. There’s a very real cap on how many TCP connections a machine can serve before the kernel starts barfing, and that cap is substantially lower than the number of multiplexed streams you can push over a single TCP connection.
You’re also completely ignoring TCP slow start process, which you can bet your bottom dollar will prevent six TCP streams beating six multiplexed streams over a single TCP stream when measuring latency from first connection.
Yes I do have data. You can have that data, too. Just do the testing yourself.
You’re making the claims, feel free to share the data you already have.
Oh and while doing that, also feel free to respond to the rest of comment that outlines why opening an unbounded number of TCP connections to a server might be a bad idea.
Oh and while doing that, also feel free to respond to the rest of comment that outlines why opening an unbounded number of TCP connections to a server might be a bad idea.
I'm sure it can. However in my real world use cases, HTTP/2 and 3 work better when available for me, so I'm glad to have them. I'm sure this comes as no surprise to most people since SPDY went through a lot of testing before becoming HTTP/2, but just because it doesn't win on every point of the graph does not mean it doesn't still win overall.
Besides that, more than half my point is that I like HTTP/2 and HTTP/3 for the featureset, and you can't get that by increasing the max connection limit for HTTP/1.1.
Besides that, more than half my point is that I like HTTP/2 and HTTP/3 for the featureset, and you can't get that by increasing the max connection limit for HTTP/1.1.
That would greatly limit the maximum number of simultaneous clients behind the same IP (at the office, at the university etc)
When the limit is reached, all clients would be broken
Looks like a good deal indeed, why do not we do that
When the limit is reached, all clients would be broken
Looks like a good deal indeed, why do not we do that
> That's not really head of line blocking, because in HTTP1.1 you'd just open up another connection.
All browsers cap the number of connections which are opened to a single domain (I think on IE this was 4, and has increased to 10, but it's not a large number).
All browsers cap the number of connections which are opened to a single domain (I think on IE this was 4, and has increased to 10, but it's not a large number).
you are correct, but with keepalive, 10 connections over http1 will beat 1 connection over http2[1] even 4 connections will do better.
[1] when there is high latency, or some packet loss, and the requests are batched evenly over all connections.
[1] when there is high latency, or some packet loss, and the requests are batched evenly over all connections.
Each of those connections needs its own TCP and TLS handshake making a total of 6 trips. Also, although this didn't take off, h2 had push promise which could have been a big help.
Yeah HTTP/2 push is so great that Chrome removed it.
Straight from the horse mouth: "However, it was problematic as Jake Archibald wrote about previously, and the performance benefits were often difficult to realize"
https://developer.chrome.com/blog/removing-push
> This is Top of line blocking and was entirely predictable had the HTTP2 team bothered to talk to anyone who did networking.
>
> Its part of the reason why I was greatly suspicious of QUIC, because it appeared like it was designed by the same people that thought http2 was a good idea.
Agreed - i've always found them to be living in a world of their own, which doesn't match the realities of actual networking out there.
In fact, the very same team after touting QUIC over UDP as the revolutionary protocol is now complaining that the real world realities aren't matching their expectations and so are now proposing to do QUIC over TCP. Here's that proposal https://mailarchive.ietf.org/arch/msg/quic/N82WBOa_RJIb4cPQw...
Agreed - i've always found them to be living in a world of their own, which doesn't match the realities of actual networking out there.
In fact, the very same team after touting QUIC over UDP as the revolutionary protocol is now complaining that the real world realities aren't matching their expectations and so are now proposing to do QUIC over TCP. Here's that proposal https://mailarchive.ietf.org/arch/msg/quic/N82WBOa_RJIb4cPQw...
One thing in favor of QUIC is that it had a lot of other people also working on it, not just the HTTP2 team. People like Daniel Stenberg who have worked in networking for ages and are not beholden to the incentive structures at Google.
According to his Wikipedia page he was also on the working group for HTTP2
It is imposible to meaningfuly evaluate these different protocols against each other without considering the "use case". For example, if someone is requesting 100 pages from a site, all hosted on the same domain, and nothing else,1 then HTTP/1.1 is the best of the three. The requests can be sent over a single connection. HOL blocking is not an issue. I have tested this exhaustively outside the browser for over a decade. (People promoting HTTP/2 and HTTP/3, and HN commenters submitting snarky replies every time I mention the utility of HTTP/1.1 pipelining, apparently have not tested this at all.)
1. This is text retrieval. The www is not a handful of browsers controlled by companies that seek to profit from advertising. It was and still is a facility that provides for (hyper)text retrieval.
HTTP/2 and HTTP/3 come from an advertising commpany and a CDN that expect ads hosted on different domains in every page. That is what _they_ want. Is that want _www users_ want. We do not know because www users were never asked. We do know that www users do not like ads. When given the choice, they say, "No."
The advertising company keeps repeating this HOL blocking as a problem of HTTP/1.1, and now it gets parroted everywhere, and few even know what it means. HOL blocking is not a problem if the www user is not requesting ads and tracking from different domains. How many www users actually want to request ads and tracking and particpate in telemetry. The so-called "tech" company might try to argue that all of them do, or more commonly that, "They do not care." Meanwhile its own employees call ad blocking a "right of passage" (direct quote from a reply I got on HN).
The truth is that when evaluating these new HTTP protocols, it matters what the www user is trying to do. Many users are simply trying to retrieve information as text. But the advertising company believes that www users only want to do what is in the interest of the advertising company: let the advertising company's browser automatically send requests for ads, tracking and telemetry purposes. (Except for employees of so-called "tech" companies profiting from the sale of online ad services. They exempted and are free to block the ads and tracking.)
1. This is text retrieval. The www is not a handful of browsers controlled by companies that seek to profit from advertising. It was and still is a facility that provides for (hyper)text retrieval.
HTTP/2 and HTTP/3 come from an advertising commpany and a CDN that expect ads hosted on different domains in every page. That is what _they_ want. Is that want _www users_ want. We do not know because www users were never asked. We do know that www users do not like ads. When given the choice, they say, "No."
The advertising company keeps repeating this HOL blocking as a problem of HTTP/1.1, and now it gets parroted everywhere, and few even know what it means. HOL blocking is not a problem if the www user is not requesting ads and tracking from different domains. How many www users actually want to request ads and tracking and particpate in telemetry. The so-called "tech" company might try to argue that all of them do, or more commonly that, "They do not care." Meanwhile its own employees call ad blocking a "right of passage" (direct quote from a reply I got on HN).
The truth is that when evaluating these new HTTP protocols, it matters what the www user is trying to do. Many users are simply trying to retrieve information as text. But the advertising company believes that www users only want to do what is in the interest of the advertising company: let the advertising company's browser automatically send requests for ads, tracking and telemetry purposes. (Except for employees of so-called "tech" companies profiting from the sale of online ad services. They exempted and are free to block the ads and tracking.)
> entirely predictable had the HTTP2 team bothered to talk to anyone who did networking
I think it's good that things have evolved rather than being stuck behind naysaying. Sure, there were pitfalls/hurdles that could have been avoided, but it's not clear that maintaining perfection every step of the way would have got us to QUIC.
I think it's good that things have evolved rather than being stuck behind naysaying. Sure, there were pitfalls/hurdles that could have been avoided, but it's not clear that maintaining perfection every step of the way would have got us to QUIC.
This is not some pitfall. This is a major problem in tech and IMHO totally unacceptable. The same things are re-invented all over again and again without actually making much of an improvement.
The result of this is that we get constant upgrades and "improvements", but overall reliability, UI usability, latency and performance in general are actually worsening every year.
The result of this is that we get constant upgrades and "improvements", but overall reliability, UI usability, latency and performance in general are actually worsening every year.
> overall reliability, UI usability, latency and performance
is this just a rose-tinted gut feel, or do you have actual data?
is this just a rose-tinted gut feel, or do you have actual data?
Reliability: Gut feeling. I'm a support engineer. The modern DevOps/Cloud stack is just garbage. People only believe they save money with it because they don't calculate in what they will pay me.
UI usability: This is a discoverable, good UI: https://jbss.de/bilder/scr118d.gif . You can instantly tell what is a button, where you can enter text and what is inert. You can even read out all the hotkeys from the screenshot. Now, without hovering over it with your mouse, check the header of this post (the grey line) and tell me which strings will take you to a place (= are a link), which do an action (= are a button) or are inert. They all look the same and you need to investigate it first with the cursor. And even then you can't tell the buttons ("flag", "vouch") apart from the links ("parent", "context").
Latency and performance: I played RTS games for 15 years. Despite getting old and rustly, i easily hit 120 APM during office work. I can tell if an application can handle it. Things like the Windows Start menu were fast enough for me until like Vista, but now they aren't - i need to wait a bit or i click before it is popped up.
UI usability: This is a discoverable, good UI: https://jbss.de/bilder/scr118d.gif . You can instantly tell what is a button, where you can enter text and what is inert. You can even read out all the hotkeys from the screenshot. Now, without hovering over it with your mouse, check the header of this post (the grey line) and tell me which strings will take you to a place (= are a link), which do an action (= are a button) or are inert. They all look the same and you need to investigate it first with the cursor. And even then you can't tell the buttons ("flag", "vouch") apart from the links ("parent", "context").
Latency and performance: I played RTS games for 15 years. Despite getting old and rustly, i easily hit 120 APM during office work. I can tell if an application can handle it. Things like the Windows Start menu were fast enough for me until like Vista, but now they aren't - i need to wait a bit or i click before it is popped up.
> have actual data
The CPU/GPU required to render an interface at 60hz has gone up inline with moore's law.
The CPU/GPU required to render an interface at 60hz has gone up inline with moore's law.
How about resolution? Color depth? Complexity of what is displayed?
Last I checked my old commodore PET wasn’t rendering ray-traced 4K UHD graphics at 60hz…
60hz is pretty easy if all you are doing is a simple character buffer.
Last I checked my old commodore PET wasn’t rendering ray-traced 4K UHD graphics at 60hz…
60hz is pretty easy if all you are doing is a simple character buffer.
> old commodore PET wasn’t rendering ray-traced 4K UHD graphics at 60hz…
Nor is my phone, yet newer apps are now struggling to render basic GUIs at 60hz.
Nor is my phone, yet newer apps are now struggling to render basic GUIs at 60hz.
Your phone has a higher resolution, a lower size, and a lower thermal footprint, and more battery life....
How about latency of the key press? Why Apple II has practically zero latency and your modern monster desktop is visibly lagging in a fucking text editor? Despite Apple II being literally millions times slower than a modern rig.
[deleted]
Enjoyed these books on the same topic:
- https://http2-explained.haxx.se
- https://http3-explained.haxx.se
- https://http2-explained.haxx.se
- https://http3-explained.haxx.se
> HTTP/3 was designed for unstable connections, such as cellphone and satellite networks.
Satellite networks are not a good example. Regular HTTP/1.1, paired with a PEP, outperforms HTTP/3 by an order of magnitude.
Satellite networks are not a good example. Regular HTTP/1.1, paired with a PEP, outperforms HTTP/3 by an order of magnitude.
The specific thing they’re talking about connection migration (and resumption) through multiple disconnection events — HTTP/1 and 2 do not offer a similar feature.
[deleted]
pi-e-sigma(1)
When loading many images [0] different browsers load the image in a different order and parallelism[1], especially HTTP/3 with Firefox [2]:
[0] https://github.com/TalalMash/100-Image-Load-Test
[1] https://imgur.com/a/b8P3XvB
[2] https://forum.openwrt.org/uploads/default/original/3X/b/c/bc...
[0] https://github.com/TalalMash/100-Image-Load-Test
[1] https://imgur.com/a/b8P3XvB
[2] https://forum.openwrt.org/uploads/default/original/3X/b/c/bc...
>In the diagram below, request 2 cannot be sent until response 1 arrives, considering that only one TCP connection is used.
That's wrong, request 2 can be sent before response 1 arrives. Blocking is inability to receive response 2 until response 1 arrives. With HTTP/2 responses can be unordered.
That's wrong, request 2 can be sent before response 1 arrives. Blocking is inability to receive response 2 until response 1 arrives. With HTTP/2 responses can be unordered.
https://en.wikipedia.org/wiki/HTTP_pipelining
In practice it's not wrong. HTTP 1.x servers, and especially "middleboxes" get this badly enough wrong that when you ship this feature ("HTTP 1 pipelining") your users will report a low but persistent error rate. Oops the password request and image download were kinda sorta fused together.
You can (and some very minor browsers do) just insist it's not your bug and then painstakingly reject every incident where this is implicated, or you can just accept that this was never going to work in practice as the document you're disparaging does.
In practice it's not wrong. HTTP 1.x servers, and especially "middleboxes" get this badly enough wrong that when you ship this feature ("HTTP 1 pipelining") your users will report a low but persistent error rate. Oops the password request and image download were kinda sorta fused together.
You can (and some very minor browsers do) just insist it's not your bug and then painstakingly reject every incident where this is implicated, or you can just accept that this was never going to work in practice as the document you're disparaging does.
Do you get a mostly eliminated error rate if you only use pipelining over TLS, or have server operators situated their defective middleboxes behind their TLS termination?
I guess, it's about things like UserGate, they generate MITM certificates on the fly and decrypt traffic. On the other hand, if they can't handle http1, why they would handle http2?
Not really, because broken proxies include anti-virus software that sits at the endpoint, as well as corporate TLS-MITMing boxes.
Browsers have spent years trying to find a way to deploy pipelining, but nothing really worked. You can't even allowlist based on known-good User-Agent or Via headers, because the broken proxies are often transparent. It's also very hard to detect pipelining errors, because you don't just get responses out of order, you may get response bodies mangled or interleaved.
The idea is truly dead. With H2 being widely supported now, and having superior pipelining in every way, there's no incentive to retry the pain of deossifying H1.
Browsers have spent years trying to find a way to deploy pipelining, but nothing really worked. You can't even allowlist based on known-good User-Agent or Via headers, because the broken proxies are often transparent. It's also very hard to detect pipelining errors, because you don't just get responses out of order, you may get response bodies mangled or interleaved.
The idea is truly dead. With H2 being widely supported now, and having superior pipelining in every way, there's no incentive to retry the pain of deossifying H1.
To be very clear/direct, the HTTP pipelining you're referring to never fully worked and was always hit with problems with middleboxes, problems with servers, significant security vulnerabilities around request smuggling and more besides.
Every project I've been involved with that tried to use them eventually turned them off. So the quote is true in practise.
Every project I've been involved with that tried to use them eventually turned them off. So the quote is true in practise.
AIU request smuggling, it can't be prevented by disabling pipelining, only by validation.
The biggest difference is that HTTP/3 (and to a lesser extent, 2) are designed and implemented entirely and exclusively for for profit-business use cases at the detriment to all other use cases and specifically longevity. Since there are no HTTP/3 implementations that allow the use of non-CA TLS or even just plain text that means in order to host a visitable website for major browsers you have to get continued re-approval from a third party corporation every ~3 months. This means that websites using HTTP/3 will have very short unmaintained lifetimes. HTTP/3 sites will not last many years. They'll simply become unvisitable in a fraction of a year if there's ever any problem in the huge chain of complexity that is acme2 (and when acme2 is deprecated and turned off a huge portion of the web will die, much more than died when acme1 was turned off on LE).
There is one feasible change that can be made now: Firefox needs to change the flags in it's HTTP/3 library build so that self signed certs are allowed.
There is one feasible change that can be made now: Firefox needs to change the flags in it's HTTP/3 library build so that self signed certs are allowed.
Which is, in my opinion, good
I am sick of seing all kind of unsecure websites (or other things over TLS) as well as private CA
Those things should not be put in production. If people cannot willingly work properly, then their life should be made harder and harder.
I am sick of seing all kind of unsecure websites (or other things over TLS) as well as private CA
Those things should not be put in production. If people cannot willingly work properly, then their life should be made harder and harder.
Nope. It should be possible to set up infrastructure to serve web content without being beholden to a certificate authority. By all means there can be a bunch of warnings whenever anyone tries to access it but it should still be possible.
But you can : you can do whatever horrors you want, privately. You want your own browser with specific compiled-options ? Then do it and deploy it on your private perimeter.
However, if you want to expose something publicly, then your own ideas matters less than the interests of your clients (at least, this is how I see things) : so exposing to the internet something without TLS or with a self-signed / private CA certificates is something that should be denied (those three propositions are the same, if you think about it).
However, if you want to expose something publicly, then your own ideas matters less than the interests of your clients (at least, this is how I see things) : so exposing to the internet something without TLS or with a self-signed / private CA certificates is something that should be denied (those three propositions are the same, if you think about it).
These kinds of security mindsets exist because browsers have been made extremely insecure these days by encouraging and even setting the default behavior to automatically execute random programs downloaded from random places while at the same time exposing bare metal functionality for speed.
This incredibly insecure business use case has made it so using a browser for merely surfing the web is dangerous and that's why CA TLS is required. But if you just turn JS off... it's fine.
There is so much more to the web than just business web applications selling things or institutional/government websites with private information. There are human people on the web and their use cases matter too. HTTP/3 disregards them. It's fine for now but when Chrome removes HTTP/1.1 for "security reasons" it's not going to be fine.
This incredibly insecure business use case has made it so using a browser for merely surfing the web is dangerous and that's why CA TLS is required. But if you just turn JS off... it's fine.
There is so much more to the web than just business web applications selling things or institutional/government websites with private information. There are human people on the web and their use cases matter too. HTTP/3 disregards them. It's fine for now but when Chrome removes HTTP/1.1 for "security reasons" it's not going to be fine.
These kinds of security mindsets exist because, as a network architect, I know at least a couple of ways to put myself between you and your destination, and from there to read and/or rewrite your unencrypted data. Of course, if I manage any network between you and your destination, things get a lot more easier.
I do not want my coworkers to do that on any of my communications, nor my family, nor anybody.
The only known way to prevent this is encryption.
And no, it has nothing to do with browsers : the same applies to my emails, ssh, IRC and whatever.
I do not want my coworkers to do that on any of my communications, nor my family, nor anybody.
The only known way to prevent this is encryption.
And no, it has nothing to do with browsers : the same applies to my emails, ssh, IRC and whatever.
Yes. And there's almost zero risk to such (ARP poisoning? dns poisoning? etc) MITM attacks when you turn off javascript and don't blindly execute all programs sent to you as an end user.
The problem with MITM attacks is when you execute programs or exchange money or other private information. The risks when viewing public documents that don't require execution is minimal. That's my point. One use case "web app stores" ruins everything for everyone by requiring the mindset you advocate for as browser defaults. But the entire justification goes away if the end user just turns off JS auto-execute. It's not intrinsic to all use cases for the web or even most.
EDIT: Mentioning wikipedia is missing the point. Of course there are cases where CA TLS should be used. I am not denying that. I am saying there are many cases with CA TLS makes things fragile and short lived and it is not needed: like personal websites run by a human person. And these use cases are not invalidated by the existence of yet another corporate person (wikimedia).
The problem with MITM attacks is when you execute programs or exchange money or other private information. The risks when viewing public documents that don't require execution is minimal. That's my point. One use case "web app stores" ruins everything for everyone by requiring the mindset you advocate for as browser defaults. But the entire justification goes away if the end user just turns off JS auto-execute. It's not intrinsic to all use cases for the web or even most.
EDIT: Mentioning wikipedia is missing the point. Of course there are cases where CA TLS should be used. I am not denying that. I am saying there are many cases with CA TLS makes things fragile and short lived and it is not needed: like personal websites run by a human person. And these use cases are not invalidated by the existence of yet another corporate person (wikimedia).
You are wrong. Let's take a wikipedia, without TLS nor JS. I can modify that page and the end user won't even know it is now a bunch of crap.
MITM has nothing to do with read-only nor with local execution.
MITM has nothing to do with read-only nor with local execution.
You can just put a bunch of crap in wikipedia itself, TLS doesn't help much here.
This was an example..
> The risks when viewing public documents that don't require execution is minimal.
If you’re living in a well developed country with strong privacy laws, you might have a point. But most of the people in the world don’t, and in many places simply looking at LGBT communities can land you in jail.
Then there’s places like the U.S. with multiple states currently doing their level best to criminalise so much as thinking about an abortion. I don’t see why those states would be above scanning people’s clear text browsing habits to any signs of a possible abortion, and using it as evidence of an illegal abortion having been committed or about to be committed. They’ve certainly jailed women for less (even while pregnant).
Just because you’re among a group of people that is lucky enough to have no worries about being oppressed, or discriminated against, doesn’t mean everyone has that luxury. Encryption is good for everyone, I don’t anyone being able to easily know what I do online, because I have no idea who those people, or what their motives might be, and quite frankly I don’t care. I just don’t want them rummaging around in my life looking for opportunities to exploit me or others.
If you’re living in a well developed country with strong privacy laws, you might have a point. But most of the people in the world don’t, and in many places simply looking at LGBT communities can land you in jail.
Then there’s places like the U.S. with multiple states currently doing their level best to criminalise so much as thinking about an abortion. I don’t see why those states would be above scanning people’s clear text browsing habits to any signs of a possible abortion, and using it as evidence of an illegal abortion having been committed or about to be committed. They’ve certainly jailed women for less (even while pregnant).
Just because you’re among a group of people that is lucky enough to have no worries about being oppressed, or discriminated against, doesn’t mean everyone has that luxury. Encryption is good for everyone, I don’t anyone being able to easily know what I do online, because I have no idea who those people, or what their motives might be, and quite frankly I don’t care. I just don’t want them rummaging around in my life looking for opportunities to exploit me or others.
Lets talk again the first time a US state based CA revokes a cert under pressure for an abortion clinic site being against some state's law. Then you'll really want that HTTP/1.1 back. If we go CA TLS only it just means there's a single point of failure/censorship. HTTP+HTTPS is robust from censorship in a way centralized CA HTTPS only can never be.
TLS doesn't hide destination address, if you connect to LGBT site whose IP is known, you land in jail anyway.
So we’re just going to ignore the fact that most websites these days are co-located on shared IP addresses, and there’s perfectly good ways of encrypting the TLS SNI header?
I heard a rumor that GFW blocks ESNI outright.
> you can do whatever horrors you want
and i do. i run a personal static website over http. oh the horror.
and i do. i run a personal static website over http. oh the horror.
[deleted]
So we squeeze a tiny bit more performance out of existing networks, then that immediately becomes normal again. Except now we have protocols that are difficult to implement, debug and understand.
Implementing concurrency in network protocols seems to be more than just a tiny improvement
About QUIC evolutions : https://lwn.net/Articles/964377/
What I don't understand:
Why was the multiplexing in HTTP/2 and 3 pulled into the application layer instead of using a layer 4 protocol like SCTP?
> the UDP protocol wasn't optimized by routers and operating systems over the last decades due to its low usage, making it comparatively slower than TCP
What exactly does this mean?
What exactly does this mean?
I haven't read the article yet but I think that means that UDP was used less than TCP and so routers/operating systems didn't optimize for it as much as they did for TCP. Hope this helps.
there's nothing to optimize with UDP, you put a datagram on the wire and off it goes. There's no sequence number like in TCP to re-order and construct a stream on the receiving side. There is no stream, it's UDP. You put a datagram on the wire and that's it. There no syn/ack either so no congestion control in routers, no back-off or anything.
Right that’s all it says on this subject. I am curious about what optimizations TCP has benefitted from that we’re not but could be applied to UDP.
For example various kinds of hardware TCP offload, like:
1. Handing the NIC a single blob of data (> MSS) in a single operation, and having the NIC do the segmentation into multiple packets.
2. Having the NIC detect multiple exactly consecutive TCP packets on the same flow, and merging them to a single receive operation.
Hardware offload is impossible to do for UDP, since neither the NIC or OS can assume anything about the payload semantics.
1. Handing the NIC a single blob of data (> MSS) in a single operation, and having the NIC do the segmentation into multiple packets.
2. Having the NIC detect multiple exactly consecutive TCP packets on the same flow, and merging them to a single receive operation.
Hardware offload is impossible to do for UDP, since neither the NIC or OS can assume anything about the payload semantics.
This was such a nice, concise article. It laid out everything so clearly and now I'm off exploring this subject by myself.
If HTTP[23] are more complex than HTTP1.1, it is a mistake.
Most of the complexity actually comes from encryption. If you don't need encryption, HTTP/1.1 is great. Especially since unencrypted HTTP/2 and 3 are usually not supported.
HTTP/2 is sometimes considered a mistake.
HTTP/3 is certainly more complex than HTTP/1.1, but that's in large part because it is actually several protocols in one. It replaces TCP with QUIC and therefore implements its features. It also has encryption built-in, so it also provides some of TLS features.
It is based on UDP, but ideally it should QUIC/IP, the only reason why UDP is in the middle is to facilitate adoption.
So if you consider HTTP/3 with builtin TLS vs HTTP/1.1+TLS+TCP, I don't think there is much of a difference in complexity.
HTTP/2 is sometimes considered a mistake.
HTTP/3 is certainly more complex than HTTP/1.1, but that's in large part because it is actually several protocols in one. It replaces TCP with QUIC and therefore implements its features. It also has encryption built-in, so it also provides some of TLS features.
It is based on UDP, but ideally it should QUIC/IP, the only reason why UDP is in the middle is to facilitate adoption.
So if you consider HTTP/3 with builtin TLS vs HTTP/1.1+TLS+TCP, I don't think there is much of a difference in complexity.
It's more complex for server builders and client library builders (libcurl, netty, etc.). For web application developers, it's essentially zero effort if you use decent cloud based hosting.
We have our stuff in Google cloud. I just launched a website (while spaceX was launching a rocket) there. Simple bucket behind our load balancer. It serves http3 if your browser can handle it. If you check with curl (which can't) it falls back to http2. Our API runs there as well and a few other things. Just works. It's not even a configuration option. It's just part of the package.
Most of this stuff is either necessary complexity or useful complexity. Running without TLS is not really something you should be doing over a public network. And some people would argue even on a private network. So that's necessary complexity.
UDP vs. TCP is a no-brainer as well for mobile and roaming type use cases. Just a lot easier to deal with via UDP. With TCP you have to deal with connections timing out, connection overhead, etc. With UDP, which is connection less, switching networks is a lot less dramatic.
And then there's the notion of not needing multiple connections to download/stream multiple things. Since UDP has no connections, HTTP3 multiplexes it's own notion of "connections" on top of that. So, you are not constrained by browsers limiting you to just 4 or 8 connections per website (or whatever the number is these days). A bit more complex to implement but useful.
We have our stuff in Google cloud. I just launched a website (while spaceX was launching a rocket) there. Simple bucket behind our load balancer. It serves http3 if your browser can handle it. If you check with curl (which can't) it falls back to http2. Our API runs there as well and a few other things. Just works. It's not even a configuration option. It's just part of the package.
Most of this stuff is either necessary complexity or useful complexity. Running without TLS is not really something you should be doing over a public network. And some people would argue even on a private network. So that's necessary complexity.
UDP vs. TCP is a no-brainer as well for mobile and roaming type use cases. Just a lot easier to deal with via UDP. With TCP you have to deal with connections timing out, connection overhead, etc. With UDP, which is connection less, switching networks is a lot less dramatic.
And then there's the notion of not needing multiple connections to download/stream multiple things. Since UDP has no connections, HTTP3 multiplexes it's own notion of "connections" on top of that. So, you are not constrained by browsers limiting you to just 4 or 8 connections per website (or whatever the number is these days). A bit more complex to implement but useful.
Then HTTP[23] are significantly more costly to implement, they are a mistake then.
Nothing to brag about then.
Nothing to brag about then.
That's a pretty silly take. You're basically asserting that implementation difficulty is always the main priority, and there can never be any worthwhile tradeoffs that could offset that complexity.
But in reality, the world probably only needs a few dozen H3 implementations, just like there are only tens of production TCP stacks. But those implementations will be used by billions of people, hundreds of billions of machines, and handle effectively all data transmission of the entire humanity.
The leverage is massive, even the most minor improvements will be able to pay off any level of engineering effort.
But in reality, the world probably only needs a few dozen H3 implementations, just like there are only tens of production TCP stacks. But those implementations will be used by billions of people, hundreds of billions of machines, and handle effectively all data transmission of the entire humanity.
The leverage is massive, even the most minor improvements will be able to pay off any level of engineering effort.
Enter IPv6. Same arguments, it's 'only' a matter of implementation. 30 years later still most of the implementations are worse than IPv4.
At least IPv6 is reasonably scaled for our world which IPv4 was never meant to be (The abomination of NAT).
TLS is more costly to implement than simply not encrypting or signing anything.
Sometimes cost of implementation isn't the only consideration.
Sometimes cost of implementation isn't the only consideration.
I don't really see how one leads to another, could you elaborate? Looking at these protocols, it seems to me that later versions of HTTP attempt to address errors resulting from the overly simplistic design of HTTP/1.1.
Thats not really head of line blocking, because in HTTP1.1 you'd just open up another connection. The issue with HTTP1.1 is that opening up lots of connections can introduce lots of latency, especially if you are doing Encryption.
HTTP1.1 performs much much better over high latency or lossy links than http2
> With HTTP/2, this problem is solved with streams, each stream corresponds to a message. Many streams can be interleaved in a single TCP packet. If a stream can't emit its data for some reason, other streams can take its place in the TCP packet.
This is where HTTP2 failed. It shoved everything into one single TCP connection which works fine on LAN and LAN like networks, and sucks balls in the real world. This is Top of line blocking and was entirely predictable had the HTTP2 team bothered to talk to anyone who did networking.
Its part of the reason why I was greatly suspicious of QUIC, because it appeared like it was designed by the same people that thought http2 was a good idea.
However QUIC seems to be actually reasonable. I've yet to fully test it in real world scenarios, but it does offer promise for highspeed latency resistant data streaming. One day I'll re-write my TCP multiplexor to compare the performance.