思博伦环形标志
网络安全

Building Next-Generation Web with HTTP/3

作者:

Learn how to use HTTP/3 to build your next-generation web using Spirent CyberFlood, the only solution that proactively validates network performance and security with emulated HTTP/3 traffic.

HTTP (HyperText Transfer Protocol) was released in 1991 and it essentially powers the exchange of information over the web today. Since then, there have been several updates to HTTP intended to improve performance, usability, reliability, and security. Currently, HTTP/2 is most widely used, and it relies on TCP and optionally TLS.

HTTP/3 is the latest version and was standardized as RFC9114 in June 2022. It runs over the new transport protocol QUIC published in 2021 as RFC9000. As of April 2022, HTTP/3 was supported by 72% of running Web browsers and 27% of the top one million websites.

Currently, over 45% of the top one million websites are using HTTP/2. HTTP/2 has been around for almost 8 years and was considered a game-changer in terms of how it allows data to be exchanged over the internet; it also ushered in several key features such as supporting multiple requests on a single TCP connection, supporting multiplexed bidirectional streaming, and increasing security by offering HTTP/2 over TLS.

Next-generation communication protocol for the next-gen web

With internet usage trending toward mobile devices which can be on low-quality networks with high latency and packet losses, the inadequate performance and poor security and privacy of HTTP/2 have become problematic. That is why so many organizations have been eagerly awaiting and preparing for final approval of HTTP/3, the next-generation communication protocol for the next-generation Web. HTTP/3 offers the same semantics as earlier versions but differs in OSI stack implementation. The illustration below compares the protocol stacks of HTTP1.1, HTTP/2, and HTTP/3.

The HTTP/3 implementation of HTTP over QUIC (Quick UDP Internet Connection) provides improved performance and reliability compared to HTTP/2. QUIC uses user space congestion control over User Datagram Protocol (UDP) with shorter handshake setup times. QUIC also aims to fix a major drawback of HTTP/2 called "head-of-line blocking,” which occurs because the inherently parallel nature of multiplexing in HTTP/2 is not aware of TCP's loss recovery mechanisms, and therefore a lost or reordered packet causes all active transactions to stall regardless of whether that transaction was impacted by the packet loss. QUIC provides native multiplexing and therefore lost packets only impact the streams where data was lost.

Furthermore, QUIC resides between the transport and application layers, providing fault tolerance for data packet transmission over UDP. Its mandated support for TLS1.3 and usage of end-to-end encryption provides improvements in security and privacy of data in transit as well. HTTP/3 is essentially an upgrade for the user experience, including improvements in performance, reliability, and security compared to previous generations of HTTP.

The need for proactive network performance and security validation

With HTTP/3, QUIC’s use of UDP has benefits, however it introduces potential unintended consequences for the middle boxes (e.g. load balancers and deep packet inspection devices) as well as the organization’s network. Spirent CyberFlood is currently the only solution that provides proactive validation of network performance and security with emulated malicious and non-malicious traffic including HTTP/3.

Learn how Spirent CyberFlood can help in assessing the performance and security strength of your organization’s network.


喜欢我们的内容吗?

在这里订阅我们的博客

博客订阅

标签网络安全
Reza Saadat
Reza Saadat

Senior Technical Marketing Engineer, Application and Security Group

Reza Saadat is a Senior Technical Marketing Engineer at Spirent in the Applications and Security group, with over 25 years of experience in computers and data communication technologies. At Spirent, Reza works with the Product Management, Engineering and Sales teams to bring to market new, cutting-edge applications and security testing solutions for network equipment manufacturers, enterprises, and service providers. His in-depth industry, market and software development knowledge as well as collaborative design and development skills have resulted in the creation of numerous  hardware and software solutions, which have been successfully released at companies such as IBM Corp, Cisco Systems and many more.