3

Recently Chrome, Firefox, cURL etc announced their support for HTTP/3 (it was earlier termed as HTTP-over-QUIC).

How do you see its adaptation impact from perspective of changes in:

  1. Applications (web-based, mobile, pure socket based etc)

  2. Hosting infrastructures (web/app servers, firewalls, loadbalancers, CDNs, router, switches etc) & ISPs etc.

  3. Security (new threats, vulnerabilities, landscape of VAPT tools etc.)

  4. Congestion-control

Ivan Aracki
  • 3,668
  • 8
  • 47
  • 63
Yogesh
  • 53
  • 2

1 Answers1

6

A very subjective question so not sure a great fit for here but here’s my two cents:

  1. Shouldn’t make any further difference behind what HTTP/2 did. It closes one edge-case of that (lost packets can make HTTP/2 slower on HTTP/2 than HTTP/1.1) and also potentially brings some performance improvements to the initial connection setup. If you’ve not move to, or optimised for, HTTP/2 then may wish to consider that in preparation. Priorities are also due to get a rethink in HTTP/3 but not decided how yet. At the end of the day it’s a transport layer change and the basic semantics of HTTP/2 doesn’t change so to higher level apps it should be fairly seamless - like HTTP/2 was mostly to HTTP/1.1 users.

  2. It’s UDP based (with fallback to TCP-based HTTP/2 and/or HTTP/1.1) which will be fun to enable and setup! Also TLS libraries need to change to support it so could be a while before we see it in some servers. CDNs are already leading the way and will be easiest way of getting this. Like HTTP/2, it’s probably most important to have it on your edge server and then down grade to HTTP/2 or even HTTP/1.1 for internal traffic beyond that. It’s also more fully encrypted which will make it difficult to sniff and reroute traffic as less information is readable to middle boxes than was in TCP.

  3. See answer 2 above which will make it more difficult to sniff traffic. Also it’s very new (not even fully finished and approved at this time of writing) so there may be implementation bugs like there were for HTTP/2 (for example), and some products will not support it initially. On plus side it’s only available over HTTPS which is good for security.

Barry Pollard
  • 30,554
  • 4
  • 60
  • 77