HTTP/3 Cover Giacomo Lanzi

HTTP / 3, everything you need to know about the latest version protocol

Estimated reading time: 5 minutes

Security researchers have just digested the HTTP / 2 protocol, but web innovators are already publishing an update: HTTP / 3. This technology offers performance gains and security benefits, but only if we overcome the implementation problems that await us for what appears to be an evolutionary change rather than a real revolution in the way the web works.

In this article I will try to clarify what the new HTTP / 3 protocol is, what its features are and how you can implement them to your web hosting through Cloudflare with the services offered by SOD. < / p>

HTTP/3 fast network

What is HTTP/3 in detail

HTTP / 3 is a major update of the HyperText Transfer Protocol (HTTP), the technology that underlies the transfer of information on the web. HTTP / 3 runs on QUIC, an encrypted general transport protocol that “bundles” multiple data streams on a single connection.

QUIC was initially developed by Google and uses congestion control on User Datagram Protocol (UDP).

What is the relationship with HTTP/2?

HTTP / 2 has brought some improvements through non-blocking download technology, pipelining and server push that help overcome some limitations of the underlying TCP protocol HTTP / 2 as well as HTTP. Basically, with HTTP / 2 we can minimize the number of request – response cycles between client and server .

HTTP / 2 made it possible to send more than one resource on a single TCP connection, a process called multiplexing . The protocol provides greater flexibility in the order of static downloads and pages are no longer constrained by a linear progression of downloads.

It is possible to think of HTTP / 3 as the previous protocol which instead of using TCP for the transfer, uses QUIC, the protocol we mentioned above.

The benefits of the new protocol

The move to QUIC goes a long way towards solving one of the major HTTP/2 problems , namely “head of line blocking”, literally blocking the beginning of the line .

Since the parallel nature of HTTP/2 multiplexing is not visible to TCP’s loss recovery mechanisms, a lost or reordered packet causes all active transactions to stall , regardless of the whether or not a particular transaction was affected by the lost packet.

Since QUIC provides native multiplexing , lost packets only impact the streams in which the data was affected . The practical effect of upgrading to HTTP/3 is to reduce the latency of poor internet connections or frequent packet losses.

Furthermore, QUIC is almost entirely encrypted, which means that security is significantly improved with HTTP/3 . This built-in encryption means fewer opportunities for MitM ( manipulator-in-the-middle ) attacks. QUIC also includes other features that help protect against denial of service (DoS) exploits, which we discussed in another article in relation to ransomware.

QUIC combines its encrypted handshake and transport to allow connection to a new server in a single request . The same technology allows you to quickly resume a broken connection with the client sending encrypted application data in the first interaction. The protocol uses TLS 1.3 as a building block in its encrypted handshake.

Support for the new protocol

As of March 2021, the HTTP/3 protocol is still a standard draft and already has multiple implementations. Currently around 14.3% of the 10 million websites in existence support HTTP/3. For comparison, HTTP/2 is supported by 50.5% of platforms. Data source is W3Techs .

As far as browsers are concerned, the protocol is supported by stable versions of Chrome in a non-default way (from December 2019) and by Firefox (from January 2020).

HTTP/3 Secure connections

The benefits of introducing HTTP/3

HTTP/3 should offer faster load times and better performance for websites, particularly on networks prone to frequent packet loss, than previous technologies.

Achiel van der Mandele, Cloudflare product manager explained: “ In a nutshell, we believe that HTTP/3 will make the internet better for everyone . HTTP/3 is the successor to HTTP/2, which offers better performance when loading websites.

“HTTP/3 users will benefit from faster connection setup and better performance on poor quality networks with high amounts of packet loss. Both of these improvements ensure that websites are load faster and more reliably, “Mandele told The Daily Swig .

Web protocol expert Robin Marx was more cautious about the benefits of HTTP/3:

“Performance should also benefit, albeit not by much in practice,” he said. “Removing the head-of-line block doesn’t matter that much for [things like] loading web pages.

“Most of the gains will come from shorter handshake setup times,” he explained, adding that HTTP/3 and QUIC are “an evolution, not a revolution” .

“Performance will be better, but not in a super noticeable way for things like web browsing,” Marx said. “ Security should be better and protect against different types of attacks “. ( Source )

Availability of the protocol

As we have seen, the new HTTP / 3 transfer protocol could be a notable evolution in security rather than performance, where it will significantly excel in setting handshakes . Not all hosting services are currently able to offer support for the new protocol.

We at SOD offer this through Cloudflare, our partner for CDNs. In our web hosting service it is possible to enable CDN for free and then set up support for the new HTTP / 3 via the Cloudflare panel itself.

For more information, do not hesitate to contact us, we will be happy to answer any questions.

Link utili:

Useful links:

CloudFlare

Install a Let’s Encrypt certificate on Debian based machine

Share


RSS

More Articles…

Categories …

Tags

RSS Dark Reading

RSS Full Disclosure

  • Backdoor.Win32.Delf.eg / Unauthenticated Remote Command Execution October 3, 2022
    Posted by malvuln on Oct 03Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/de6220a8e8fcbbee9763fb10e0ca23d7.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Delf.eg Vulnerability: Unauthenticated Remote Command Execution Description: The malware listens on TCP port 7401. Third-party adversarys who can reach infected systems can issue commands made available by the...
  • Backdoor.Win32.NTRC / Weak Hardcoded Credentials October 3, 2022
    Posted by malvuln on Oct 03Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/273fd3f33279cc9c0378a49cf63d7a06.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.NTRC Vulnerability: Weak Hardcoded Credentials Family: NTRC Type: PE32 MD5: 273fd3f33279cc9c0378a49cf63d7a06 Vuln ID: MVID-2022-0646 Disclosure: 10/02/2022 Description: The malware listens on TCP port 6767....
  • Wordpress plugin - WPvivid Backup - CVE-2022-2863. October 3, 2022
    Posted by Rodolfo Tavares via Fulldisclosure on Oct 03=====[ Tempest Security Intelligence - ADV-15/2022 ]========================== Wordpress plugin - WPvivid Backup - Version < 0.9.76 Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ […]
  • ZKBioSecurity 3.0.5- Privilege Escalation to Admin (CVE-2022-36634) October 1, 2022
    Posted by Caio B on Sep 30#######################ADVISORY INFORMATION####################### Product: ZKSecurity BIO Vendor: ZKTeco Version Affected: 3.0.5.0_R CVE: CVE-2022-36634 Vulnerability: User privilege escalation #######################CREDIT####################### This vulnerability was discovered and researched by Caio Burgardt and Silton Santos. #######################INTRODUCTION####################### Based on the hybrid biometric technology and...
  • ZKBiosecurity - Authenticated SQL Injection resulting in RCE (CVE-2022-36635) October 1, 2022
    Posted by Caio B on Sep 30#######################ADVISORY INFORMATION####################### Product: ZKSecurity BIO Vendor: ZKTeco ( https://www.zkteco.com/en/ZKBiosecurity/ZKBioSecurity_V5000_4.1.2) Version Affected: 4.1.2 CVE: CVE-2022-36635 Vulnerability: SQL Injection (with a plus: RCE) #######################CREDIT####################### This vulnerability was discovered and researched by Caio Burgardt and Silton Santos....
  • Backdoor.Win32.Augudor.b / Remote File Write Code Execution September 27, 2022
    Posted by malvuln on Sep 27Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/94ccd337cbdd4efbbcc0a6c888abb87d.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Augudor.b Vulnerability: Remote File Write Code Execution Description: The malware drops an empty file named "zy.exe" and listens on TCP port 810. Third-party adversaries who can reach the infected […]
  • Backdoor.Win32.Psychward.b / Weak Hardcoded Credentials September 27, 2022
    Posted by malvuln on Sep 27Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/0b8cf90ab9820cb3fcb7f1d1b45e4e57.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Psychward.b Vulnerability: Weak Hardcoded Credentials Description: The malware listens on TCP port 8888 and requires authentication. However, the password "4174" is weak and hardcoded in cleartext within the PE...
  • Backdoor.Win32.Bingle.b / Weak Hardcoded Credentials September 27, 2022
    Posted by malvuln on Sep 27Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/eacaa12336f50f1c395663fba92a4d32.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Bingle.b Vulnerability: Weak Hardcoded Credentials Description: The malware is packed using ASPack 2.11, listens on TCP port 22 and requires authentication. However, the password "let me in" is weak […]
  • SEC Consult SA-20220923-0 :: Multiple Memory Corruption Vulnerabilities in COVESA (Connected Vehicle Systems Alliance) DLT daemon September 27, 2022
    Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Sep 27SEC Consult Vulnerability Lab Security Advisory < 20220923-0 > ======================================================================= title: Multiple Memory Corruption Vulnerabilities product: COVESA DLT daemon (Diagnostic Log and Trace) Connected Vehicle Systems Alliance (COVESA), formerly GENIVI vulnerable version:
  • Backdoor.Win32.Hellza.120 / Authentication Bypass September 20, 2022
    Posted by malvuln on Sep 19Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/2cbd0fcf4d5fd5fb6c8014390efb0b21_B.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Hellza.120 Vulnerability: Authentication Bypass Description: The malware listens on TCP ports 12122, 21. Third-party adversarys who can reach infected systems can logon using any username/password combination....

Customers

Newsletter