The backbone of the network has received a major update
ANALYSIS The HTTP / 3 protocol has received RFC 9114 standardization – an acceleration for Internet security, but not without barriers for web developers.
This week, the Internet Engineering Task Force (IETF) released HTTP / 3, published as RFC 9114.
The HTTP protocol is the backbone of the network. The Hypertext Transfer Protocol (HTTP) serves as an application layer to facilitate communication between servers and browsers, providing resources and transmitting data. HTTPS is HTTP with added security through encryption.
HTTP / 3 is the latest revision of the HTTP protocol, taking over from 2015 HTTP / 2. HTTP / 3 is designed to address some of the performance issues inherent in HTTP / 2, improving the user experience, reducing the impact of packet loss without head-of-line blockingaccelerating handshake requirements, and enabling encryption by default.
The protocol utilizes space congestion control over User Datagram Protocol (UDP).
One of the main differences in HTTP / 3 is QUIC. Developed by Google, Quick UDP Internet Connections (QUIC) has been adopted by the IETF, and a tailored version provides a cornerstone of HTTP / 3.
How noted by Cloudflareimplementing QUIC sets up encrypted links by default at the transport layer, combining handshakes into one action and encrypting the metadata exchanged between links.
Package numbers and header information are therefore removed by eavesdroppers and attackers. This improvement may lower the success of manipulator-in-the-middle (MitM) attacks, IP speech, and out-of-service attacks.
“This feature was not included in HTTP / 2,” notes Cloudflare. “Encrypting this data helps keep sensitive information about user behavior out of the hands of attackers.”
Encryption at the transport layer is not the end of the story. Akamai says that because HTTP / 3 works with QUIC, it also paves the way for future innovations in encrypted transport and communication – as we’ve seen with the QUIC Datagram extension (RFC 9221), a technology to manage both UDP and TCP traffic securely.
In addition, the protocol supports zero return time (0-RTT), introduced in TLS 1.3, which bypasses the handshake in reliable settings – but a disadvantage is that this could lead to repeated attacks without proper protection.
Rustam Lalkaka, product manager at Cloudflare, told us before that while HTTP / 3 has a range of security and performance benefits, enabling QUIC can be a difficult prospect for developers because many widely-but technologies have yet to add QUIC and HTTP / 3 support.
Some transit providers and ISPs may be hostile to UDP traffic, and there may also be a need for increased CPU usage when HTTP / 3 is implemented, damaging both servers and browsers.
Support for HTTP / 3 was rolled out gradually through major browsers including Google Chrome, Mozilla Firefox and Microsoft Edge. Apple Safari also provides support, although at the time of writing, this should be enabled in the ‘Experimental Features’ tab in the Developers menu.
Cloudflare scans revealed that the majority of Internet traffic is facilitated by HTTP / 2. Most of the current HTTP / 3 requests are made by Chrome users, followed by Edge and Firefox. Safari volumes are minimal, but Cloudflare is expected to increase after Apple enables HTTP / 3 support by default.
Cloudflare Radar estimates that 8% of internet traffic is HTTP / 1-based, followed by HTTP / 2 at 67%, and HTTP / 3 at 25%.