IETF publishes HTTP/3 RFC to take the web from TCP to UDP

Maps HTTP to QUIC to speed the web

The Internet Engineering Task Force on Monday published the RFC for HTTP/3, the third version of hypertext transport protocol.

As explained in an IETF summary:

The QUIC transport protocol has several features that are desirable in a transport for HTTP, such as stream multiplexing, per-stream flow control, and low-latency connection establishment. This document describes a mapping of HTTP semantics over QUIC. This document also identifies HTTP/2 features that are subsumed by QUIC and describes how HTTP/2 extensions can be ported to HTTP/3.

Let's unpack that a little.

QUIC stands for “Quick UDP Internet Connections” and was created by Google and revealed in 2013. Google developed QUIC to address the fact that Transport Control Protocol (TCP) needs a few back-and-forths to establish a connection and start moving data. It therefore produces long round-trip times which can translate into a poor user experience. QUIC instead uses the User Datagram Protocol (UDP) to carry traffic. UDP reduces the number of round trips between client and server, so speeds things up. This matters a lot on mobile networks, which when Google cooked up QUIC were slow and sparse. Mobile networks remain a very contested resource, so anything that speeds them up is welcome.

Google liked QUIC so much that in 2020 the ad giant baked it into its own Chrome browser and enabled it on its own services – a combo that in theory makes the experience of selling your digital soul to Google more pleasant (or at least involves fewer moments of delay and frustration than selling your soul to others).

Cloudflare implemented QUIC as an option in 2018.

Microsoft also liked QUIC so much it created its own version and open-sourced it. NGINX added HTTP/3 support.

But while QUIC's prevalence increased, much of the world's data traffic was still carried over HTTP/2, which relies on TCP. Slow, verbose, flaky, TCP.

So when networking boffins started to contemplate HTTP/3, way back in 2016, mapping it to QUIC made sense as a way to speed the web. But they also made sure HTTP/3 and HTTP/2 could co-exist.

On Monday June 6, their efforts effort produced RFC 9114 – a proposed standard.

The full RFC is over 20,000 words long and explains HTTP/3 in extraordinary detail.

HTTP/3 is already making waves. Cloudflare has revealed that its observations of the web suggest it is already the second-most-prevalent version of HTTP, but still a long way behind HTTP/2.

Cloudflare HTTP version prevalence data

Cloudflare HTTP version prevalence
HTTP/3 is the blue line. Click to enlarge

Cloudflare's analysis suggests 80 percent of HTTP/3 traffic comes from the Chrome browser. Quelle surprise.

The HTTP/3 RFC is technically offered as a proposed standard, but it's pretty much done and dusted, and effectively signed off, which is no surprise given the web heavyweights backing it.

But HTTP/3 still has critics, and competitors. Apache has held off adding the protocol to its web server, arguing that its own HTTPD does a fine job. Privacy advocates continue to worry about QUIC, as do networking wonks who've found its promised speed boost is elusive. So HTTP/3 is not a panacea.

But the debut of RFC 9114 is nonetheless a big moment. As Cloudflare put it: "Today, a cluster of Internet standards were published that rationalize and modernize the definition of HTTP."

There are not many days on which such statements can be uttered. ®

Other stories you might like

  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • FTC urged to probe Apple, Google for enabling ‘intense system of surveillance’
    Ad tracking poses a privacy and security risk in post-Roe America, lawmakers warn

    Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.

    US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions. 

    In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    Continue reading

Biting the hand that feeds IT © 1998–2022