HTTP/3: Newest web protocol

HTTP/3: In addition to the commonly used HTTP/1.1 and HTTP/2, HTTP/3 is the third main version of the Hypertext Transfer Protocol used to communicate information on the World Wide Web.

HTTP/3 runs over QUIC – an encrypted general-purpose transport protocol that multiplexes multiple streams of data on a single connection.

Google developed QUIC initially . The protocol utilizes space congestion control over User Datagram Protocol (UDP).

What connection do HTTP, HTTP/2, and HTTP/3 have to one another?

While HTTP is really ‘HTTP-over-TCP’ and HTTP/2 might be described as ‘HTTP-over-TCP’ then HTTP/3 might be best described as ‘HTTP/2-over-QUIC’.

During the Black Hat Asia 2020 virtual conference, Google engineer Nick Harper explained in some depth how QUIC and HTTP/3 compare to HTTP/2.

Need for global security perspectives underlined at virtual event

Why is it new?

HTTP/3 will be the hypertext transfer protocol’s first significant update.

The fact that HTTP/3 utilizes the new transport protocol QUIC is a significant distinction. QUIC is intended for Internet users that are heavily reliant on mobile devices, such as smartphones, which users often switch between as they go about their daily lives.

When the first Internet protocols were created, devices were less mobile and did not swap networks frequently.

Because of QUIC, HTTP/3 is dependent on UDP rather than TCP and uses the User Datagram Protocol (UDP) (TCP). By switching to UDP, users will be able to browse the internet more quickly and establish speedier connections.

Google created the QUIC protocol in 2012, and the vendor-neutral Internet Engineering Task Force (IETF) approved it when they started developing the new HTTP/3 standard. The IETF has made a number of adjustments to create its own version of QUIC after talking with specialists from all across the world.

Why is a new version required?

QUIC will assist in addressing some of HTTP/2’s most significant flaws:

  • Creating a fix for the slow performance that occurs when a smartphone transitions from WiFi to cellular data (such as when leaving the house or office)
  • Reducing the consequences of packet loss, which prevents “head-of-line blocking,” the issue where all streams of data are blocked when one packet does not reach its destination.

Other Benefits

  • QUIC enables TLS version negotiation to take place concurrently with the cryptographic and transport handshakes, which speeds up connection setup.
  • Clients can avoid the handshake requirement for servers they have already connected to using zero round-trip time (0-RTT) (the process of acknowledging and verifying each other to determine how they will communicate)
  • An enormous improvement over HTTP/2, QUIC’s new approach to handshakes will enable encryption by default and significantly reduce the danger of attacks.

What does default encryption cover?

Security issues are significant when encryption is mandated at the transport layer rather than the application layer.

The connection will always be encrypted as a result. Prior to HTTPS, the transport-layer connections and encryption happened independently. The TCP and TLS handshakes were separate events, and TCP connections might transmit data that was either encrypted or not.

However, QUIC automatically establishes secure connections at the transport layer; hence, application-layer data is always protected by encryption.

By merging the two handshakes into a single operation, QUIC achieves this. As a result, latency is reduced because applications only need to wait for one handshake to complete before delivering data.

To further assist keep information about user activity out of the hands of attackers, it additionally encrypts metadata about each connection, including packet numbers and some other sections of the header. HTTP/2 did not have this functionality.

This data’s encryption aids in keeping attackers from gaining access to actionable information about user behavior.

Since anybody listening to communications may read HTTP requests and answers in plaintext, this has detrimental effects on security.

Everyone will be safer and sensitive data will be protected if encryption is enabled by default.

Is HTTP/3 already available?

Website owners and visitors can begin receiving support for HTTP/3 through browsers, operating systems, and other clients even if the standard is still under development. Of course, given that the standard has already undergone multiple implementations, there will probably be additional modifications in the future.

The transition to HTTP/3 won’t happen overnight once it’s launched. Many websites are still not even using HTTP/2.

The fact that the new protocol calls for more CPU time on both the server and client might prove to be a barrier. As technology advances, the impact of this will probably lessen over time.

Source: Samrat Pradhan (DevOps Engineer) | Edit By: Salina Shree

CONTACT:
Swift Technology Pvt. Ltd.
3rd Floor, IME Complex
Panipokhari, Kathmandu
Nepal: swifttech.com.np

Tel: +977-1-4002555, 4002535, 4002538
Mobile: +977 9802096758
Visit our Website: swifttech.com.np

Follow us on: