HTTP (HyperText Transfer Protocol) was released in 1991 and it essentially powers the exchange of information over the web today. Since then, there have been several updates to HTTP intended to improve performance, usability, reliability, and security. Currently, HTTP/2 is most widely used, and it relies on TCP and optionally TLS.
HTTP/3 is the latest version and was standardized as RFC9114
in June 2022. It runs over the new transport protocol QUIC published in 2021 as RFC9000. As of April 2022, HTTP/3 was supported by 72% of running Web browsers and 27% of the top one million websites.
Currently, over 45% of the top one million websites are using HTTP/2. HTTP/2 has been around for almost 8 years and was considered a game-changer in terms of how it allows data to be exchanged over the internet; it also ushered in several key features such as supporting multiple requests on a single TCP connection, supporting multiplexed bidirectional streaming, and increasing security by offering HTTP/2 over TLS.
Next-generation communication protocol for the next-gen web
With internet usage trending toward mobile devices which can be on low-quality networks with high latency and packet losses, the inadequate performance and poor security and privacy of HTTP/2 have become problematic. That is why so many organizations have been eagerly awaiting and preparing for final approval of HTTP/3, the next-generation communication protocol for the next-generation Web. HTTP/3 offers the same semantics as earlier versions but differs in OSI stack implementation. The illustration below compares the protocol stacks of HTTP1.1, HTTP/2, and HTTP/3.
The HTTP/3 implementation of HTTP over QUIC (Quick UDP Internet Connection) provides improved performance and reliability compared to HTTP/2. QUIC uses user space congestion control over User Datagram Protocol (UDP) with shorter handshake setup times. QUIC also aims to fix a major drawback of HTTP/2 called "head-of-line blocking,” which occurs because the inherently parallel nature of multiplexing in HTTP/2 is not aware of TCP's loss recovery mechanisms, and therefore a lost or reordered packet causes all active transactions to stall regardless of whether that transaction was impacted by the packet loss. QUIC provides native multiplexing and therefore lost packets only impact the streams where data was lost.
Furthermore, QUIC resides between the transport and application layers, providing fault tolerance for data packet transmission over UDP. Its mandated support for TLS1.3 and usage of end-to-end encryption provides improvements in security and privacy of data in transit as well. HTTP/3 is essentially an upgrade for the user experience, including improvements in performance, reliability, and security compared to previous generations of HTTP.
The need for proactive network performance and security validation
With HTTP/3, QUIC’s use of UDP has benefits, however it introduces potential unintended consequences for the middle boxes (e.g. load balancers and deep packet inspection devices) as well as the organization’s network. Spirent CyberFlood is currently the only solution that provides proactive validation of network performance and security with emulated malicious and non-malicious traffic including HTTP/3.
Learn how Spirent CyberFlood can help in assessing the performance and security strength of your organization’s network.