CloudFlare intros HTTP/2, so we can ‘spend holiday time with our family’

So … erm, that’s a good thing, probably


CloudFlare is introducing HTTP/2 support for all of its users, to be available on all SSL/TLS connections – while still supporting SPDY – so netizens can spend more time with their families instead of waiting for pages to load this Christmas.

Talking to The Register on Tuesday night, CloudFlare CEO Matthew Prince explained the company's "multiple step rollout" of the future of the web.

"The first step really started when we turned on TLS. Thursday will be the second step, when we announce base protocol support for everyone," Prince said, before admitting "for most customers we've actually quietly already turned it on."

"The way we do rollouts is roll out to free customers in one particular data centre: free customers in Toronto in this instance. So as of last Wednesday, they went live, so that happened quietly, and over the holiday weekend in the US we've been expanding that to other data centres," said Prince.

"So, by the end of Tuesday we'd be done with the push (so it's in all facilities) and then Wednesday is just a day of buffer before the announcement on Thursday. The third step is what we're doing in the New Year," he added.

Dodging HTTP/2 scanners for "a massive spike" on Thursday, Prince stated that the rollout will be "a Christmas present to the internet".

"This is the first time that the underlying protocol of the internet, HTTP, has been updated since 1998, so it's a pretty big change on one level, but on another level it's just based on a protocol developed by Google called SPDY," said Prince.

While not initially developed to replace HTTP, the method in which it overrides connection management and data transfer formats has substantially informed the Internet Engineering Task Force's HTTP/2.

CloudFlare has supported SPDY for just over three years, and Prince claimed that "75 per cent of the top Alexa websites support SPDY because of CloudFlare".

"When HTTP/2, which was really an outgrowth of SPDY, came out, we committed to making sure this was available to all of our users, including those using our service for free. We don't believe you should pay a tax to be a part of the modern internet," said Prince.

"But the way we approached it was different from how some other vendors did, mostly tearing out SPDY and implementing HTTP/2. We wanted to make sure we covered HTTP 1.1 for the legacy browsers, SPDY for today's browsers (or yesterday's) and then also HTTP/2 for the small handful of browsers than can support it today, and the larger majority that could support it going forward," he added.

Asked whether CloudFlare would roll out the standard NGINX build, or if it had room to bring in some of HTTP/2's cooler features such as Server Push, Prince stated that the company had been using NGINX as part of its core, but it has updated it somewhat.

"The way it was implemented, it tore out the SPDY support and then added in HTTP/2 support," said Prince, "and what we found was if we used the stock NGINX build we would actually make the internet slower for over 50 per cent of our users, as a lot of the traffic came from browsers which supported SPDY and not HTTP/2."

"So we rewrote the module, and we plan to open source that in the new year and give that back to the NGINX community. Server Push will not be initially supported, but have a team working on it internally – and there are two parts to that."

Prince told The Register: "Part one is in supporting it in the NGINX lab, eventually to be contributed back to the open source community. The second part is to use our data to make an intelligent Server Push without you having to make application changes on your side."

"We serve a trillion page views a month across our network, and compared with HTTP 1.1, HTTP/2 for the average site it improves page loading by 2-3 seconds," said Prince. "That's not much, but across a month, that's 95,000 years of loading time saved. This is not just a present to our users, but our customers' customers. Two billion individual people pass through our network, effectively the entire active internet, and while for each one we save a tiny bit of time, it adds up to a lot more time amongst them all."

"That's more time can they can spend with their family during the holidays," Prince joked.

"HTTP/2 will be on by default for free and pro+ customers," said Prince, "then for business and large customers, including the UK government, it will be an option they can toggle on in their control panel starting on Thursday." ®

Similar topics

Narrower topics


Other stories you might like

  • Google, EFF back Cloudflare in row over pirate streams
    Ban akin to 'ordering a telephone company to prevent a person from having conversations' over its lines

    Google, EFF, and the Computer and Communications Industry Association (CCIA) have filed court documents supporting Cloudflare after it was sued for refusing to block a streaming site.

    Earlier this year, a handful of Israel-based media companies took Israel.tv to court, accusing it of streaming TV and movie content it had no right to distribute. The corporations — United King Film Distribution, D.B.S. Satellite Services, HOT Communication Systems, Charlton, Reshet Media and Keshet Broadcasting — won the lawsuit after Israel.tv's creators failed to show up to their hearings, and the judge ordered Israel-tv.com, Israel.tv and Sdarot.tv each pay $7,650,000 in damages. 

    In a more surprising move, however, the media outfits also won an injunction [PDF] in the United States in April against a slew of internet companies, among others, banning them from aiding Israel.tv in its piracy.

    Continue reading
  • Cloudflare explains how it managed to break the internet
    'Network engineers walked over each other's changes'

    A large chunk of the web (including your own Vulture Central) fell off the internet this morning as content delivery network Cloudflare suffered a self-inflicted outage.

    The incident began at 0627 UTC (2327 Pacific Time) and it took until 0742 UTC (0042 Pacific) before the company managed to bring all its datacenters back online and verify they were working correctly. During this time a variety of sites and services relying on Cloudflare went dark while engineers frantically worked to undo the damage they had wrought short hours previously.

    "The outage," explained Cloudflare, "was caused by a change that was part of a long-running project to increase resilience in our busiest locations."

    Continue reading
  • Cloudflare says it thwarted record-breaking HTTPS DDoS flood
    26m requests a second? Not legit traffic, not even Bill Gates doing $1m giveaways could manage that

    Cloudflare said it this month staved off another record-breaking HTTPS-based distributed denial-of-service attack, this one significantly larger than the previous largest DDoS attack that occurred only two months ago.

    In April, the biz said it mitigated an HTTPS DDoS attack that reached a peak of 15.3 million requests-per-second (rps). The flood last week hit a peak of 26 million rps, with the target being the website of a company using Cloudflare's free plan, according to Omer Yoachimik, product manager at Cloudflare.

    Like the attack in April, the most recent one not only was unusual because of its size, but also because it involved using junk HTTPS requests to overwhelm a website, preventing it from servicing legit visitors and thus effectively falling off the 'net.

    Continue reading
  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – DownThem.org and AmpNode.com – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • Big Tech shrank the internet while growing its own power
    Classic internet ideas matter less now that CDNs and private networks dominate traffic

    Comment The internet has become smaller, the result of a rethinking of when and where to use the 'net's intended architecture. In the process it may also have further concentrated power in the hands of giant technology companies.

    Given the ever-expanding content and resources available online, and proliferation of connected devices, the notion that the internet has shrunk is counter-intuitive. But shrunk it has – to the point at which some iPhones do not immediately connect to the open internet.

    Those phones are iPhones running the latest version of Apple's iOS and the opt-in service called Private Relay. The iGiant bills Private Relay as a privacy enhancement because it obscures users' DNS lookups and IP addresses by funneling traffic over networks operated by Cloudflare, according to specs set by Apple.

    Continue reading
  • Cloudflare stomps huge DDoS attack on crypto platform
    At 15.3 million requests per second, the assault was the largest HTTPS blitz on record lasting 15 seconds

    Cloudflare this month halted a massive distributed denial-of-service (DDoS) attack on a cryptocurrency platform that not only was unusual in its sheer size but also because it was launched over HTTPS and primarily originated from cloud datacenters rather than residential internet service providers (ISPs).

    At 15.3 million requests-per-second (rps), the DDoS bombardment was one of the largest that the internet infrastructure company has seen, and the largest HTTPS attack on record.

    It lasted less than 15 seconds and targeted a crypto launchpad, which Cloudflare analysts in a blog post said are "used to surface Decentralized Finance projects to potential investors."

    Continue reading

Biting the hand that feeds IT © 1998–2022