HTTP / 3, everything you need to know about the latest version protocol
Estimated reading time: 5 minutes
Security researchers have just digested the HTTP / 2 protocol, but web innovators are already publishing an update: HTTP / 3. This technology offers performance gains and security benefits, but only if we overcome the implementation problems that await us for what appears to be an evolutionary change rather than a real revolution in the way the web works.
In this article I will try to clarify what the new HTTP / 3 protocol is, what its features are and how you can implement them to your web hosting through Cloudflare with the services offered by SOD. < / p>
What is HTTP/3 in detail
HTTP / 3 is a major update of the HyperText Transfer Protocol (HTTP), the technology that underlies the transfer of information on the web. HTTP / 3 runs on QUIC, an encrypted general transport protocol that “bundles” multiple data streams on a single connection.
QUIC was initially developed by Google and uses congestion control on User Datagram Protocol (UDP).
What is the relationship with HTTP/2?
HTTP / 2 has brought some improvements through non-blocking download technology, pipelining and server push that help overcome some limitations of the underlying TCP protocol HTTP / 2 as well as HTTP. Basically, with HTTP / 2 we can minimize the number of request – response cycles between client and server .
HTTP / 2 made it possible to send more than one resource on a single TCP connection, a process called multiplexing . The protocol provides greater flexibility in the order of static downloads and pages are no longer constrained by a linear progression of downloads.
It is possible to think of HTTP / 3 as the previous protocol which instead of using TCP for the transfer, uses QUIC, the protocol we mentioned above.
The benefits of the new protocol
The move to QUIC goes a long way towards solving one of the major HTTP/2 problems , namely “head of line blocking”, literally blocking the beginning of the line .
Since the parallel nature of HTTP/2 multiplexing is not visible to TCP’s loss recovery mechanisms, a lost or reordered packet causes all active transactions to stall , regardless of the whether or not a particular transaction was affected by the lost packet.
Since QUIC provides native multiplexing , lost packets only impact the streams in which the data was affected . The practical effect of upgrading to HTTP/3 is to reduce the latency of poor internet connections or frequent packet losses.
Furthermore, QUIC is almost entirely encrypted, which means that security is significantly improved with HTTP/3 . This built-in encryption means fewer opportunities for MitM ( manipulator-in-the-middle ) attacks. QUIC also includes other features that help protect against denial of service (DoS) exploits, which we discussed in another article in relation to ransomware.
QUIC combines its encrypted handshake and transport to allow connection to a new server in a single request . The same technology allows you to quickly resume a broken connection with the client sending encrypted application data in the first interaction. The protocol uses TLS 1.3 as a building block in its encrypted handshake.
Support for the new protocol
As of March 2021, the HTTP/3 protocol is still a standard draft and already has multiple implementations. Currently around 14.3% of the 10 million websites in existence support HTTP/3. For comparison, HTTP/2 is supported by 50.5% of platforms. Data source is W3Techs .
As far as browsers are concerned, the protocol is supported by stable versions of Chrome in a non-default way (from December 2019) and by Firefox (from January 2020).
The benefits of introducing HTTP/3
HTTP/3 should offer faster load times and better performance for websites, particularly on networks prone to frequent packet loss, than previous technologies.
Achiel van der Mandele, Cloudflare product manager explained: “ In a nutshell, we believe that HTTP/3 will make the internet better for everyone . HTTP/3 is the successor to HTTP/2, which offers better performance when loading websites.
“HTTP/3 users will benefit from faster connection setup and better performance on poor quality networks with high amounts of packet loss. Both of these improvements ensure that websites are load faster and more reliably, “Mandele told The Daily Swig .
Web protocol expert Robin Marx was more cautious about the benefits of HTTP/3:
“Performance should also benefit, albeit not by much in practice,” he said. “Removing the head-of-line block doesn’t matter that much for [things like] loading web pages.
“Most of the gains will come from shorter handshake setup times,” he explained, adding that HTTP/3 and QUIC are “an evolution, not a revolution” .
“Performance will be better, but not in a super noticeable way for things like web browsing,” Marx said. “ Security should be better and protect against different types of attacks “. ( Source )
Availability of the protocol
As we have seen, the new HTTP / 3 transfer protocol could be a notable evolution in security rather than performance, where it will significantly excel in setting handshakes . Not all hosting services are currently able to offer support for the new protocol.
We at SOD offer this through Cloudflare, our partner for CDNs. In our web hosting service it is possible to enable CDN for free and then set up support for the new HTTP / 3 via the Cloudflare panel itself.
For more information, do not hesitate to contact us, we will be happy to answer any questions.
- Network Traffic Analyzer: an extra gear for the Next Gen SIEM
- The importance of Cyber Threat Intelligence
- Red Team, Blue Team and Purple Team: what are the differences?
- Magecart attack: what it is and how to protect yourself
- 9 reasons why you should consider using a VPN
- The latest PDF phishing trends of 2020
- Predictive cybersecurity with our SOCaaS
- Secure Online Desktop 10 years later: our corporate anniversary
- Backup as a Service (2)
- Cloud Conference (3)
- Cloud CRM (1)
- Cloud Server/VPS (20)
- Conferenza Cloud (4)
- ICT Monitoring (4)
- Log Management (2)
- News (18)
- ownCloud (4)
- Privacy (7)
- Secure Online Desktop (14)
- Security (13)
- Web Hosting (15)
- Biden Administration Responds to Geopolitical Cyber Threats July 23, 2021In response to growing concerns regarding the recent uptick in large-scale, nation-state-backed ransomware attacks on critical infrastructure, the Biden administration is taking new action to tackle the evolving challenges posed by ransomware attacks.
- 7 Hot Cyber Threat Trends to Expect at Black Hat July 22, 2021A sneak peek of some of the main themes at Black Hat USA next month.
- Law Firm for Ford, Pfizer, Exxon Discloses Ransomware Attack July 19, 2021Campbell Conroy & O'Neil reports the attack affected personal data including Social Security numbers, passport numbers, and payment card data for some individuals.
- US Accuses China of Using Criminal Hackers in Cyber Espionage Operations July 19, 2021DOJ indicts four Chinese individuals for alleged role in attacks targeting intellectual property, trade secrets belonging to defense contractors, maritime companies, aircraft service firms, and others.
- How Gaming Attack Data Aids Defenders Across Industries July 19, 2021Web application attacks against the video game industry quadrupled in 2020 compared to the previous year, but companies outside entertainment can learn from the data.
- NSO Group Spyware Used On Journalists & Activists Worldwide July 19, 2021An investigation finds Pegasus spyware, intended for use on criminals and terrorists, has been used in targeted campaigns against others around the world.
- When Ransomware Comes to (Your) Town July 19, 2021While steps for defending against a ransomware attack vary based on the size of the government entity and the resources available to each one, rooting out ransomware ultimately will come down to two things: system architecture and partnerships.
- Breaking Down the Threat of Going All-In With Microsoft Security July 19, 2021Limit risk by dividing responsibility for infrastructure, tools, and security.
- 7 Ways AI and ML Are Helping and Hurting Cybersecurity July 19, 2021In the right hands, artificial intelligence and machine learning can enrich our cyber defenses. In the wrong hands, they can create significant harm.
- Researchers Create New Approach to Detect Brand Impersonation July 16, 2021A team of Microsoft researchers developed and trained a Siamese Neural Network to detect brand impersonation attacks.
- APPLE-SA-2021-07-21-7 Safari 14.1.2 July 23, 2021Posted by Apple Product Security via Fulldisclosure on Jul 23APPLE-SA-2021-07-21-7 Safari 14.1.2 Safari 14.1.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212606. WebKit Available for: macOS Catalina and macOS Mojave Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed […]
- APPLE-SA-2021-07-21-6 tvOS 14.7 July 23, 2021Posted by Apple Product Security via Fulldisclosure on Jul 23APPLE-SA-2021-07-21-6 tvOS 14.7 tvOS 14.7 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212604. Audio Available for: Apple TV 4K and Apple TV HD Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution Description: […]
- APPLE-SA-2021-07-21-5 watchOS 7.6 July 23, 2021Posted by Apple Product Security via Fulldisclosure on Jul 23APPLE-SA-2021-07-21-5 watchOS 7.6 watchOS 7.6 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212605. ActionKit Available for: Apple Watch Series 3 and later Impact: A shortcut may be able to bypass Internet permission requirements Description: An input validation issue was addressed […]
- APPLE-SA-2021-07-21-4 Security Update 2021-005 Mojave July 23, 2021Posted by Apple Product Security via Fulldisclosure on Jul 23APPLE-SA-2021-07-21-4 Security Update 2021-005 Mojave Security Update 2021-005 Mojave addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212603. AMD Kernel Available for: macOS Mojave Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption […]
- APPLE-SA-2021-07-21-3 Security Update 2021-004 Catalina July 23, 2021Posted by Apple Product Security via Fulldisclosure on Jul 23APPLE-SA-2021-07-21-3 Security Update 2021-004 Catalina Security Update 2021-004 Catalina addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212600. AMD Kernel Available for: macOS Catalina Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption […]
- APPLE-SA-2021-07-21-2 macOS Big Sur 11.5 July 23, 2021Posted by Apple Product Security via Fulldisclosure on Jul 23APPLE-SA-2021-07-21-2 macOS Big Sur 11.5 macOS Big Sur 11.5 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212602. AMD Kernel Available for: macOS Big Sur Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory […]
- APPLE-SA-2021-07-21-1 iOS 14.7 and iPadOS 14.7 July 23, 2021Posted by Apple Product Security via Fulldisclosure on Jul 23APPLE-SA-2021-07-21-1 iOS 14.7 and iPadOS 14.7 iOS 14.7 and iPadOS 14.7 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212601. iOS 14.7 released July 19, 2021; iPadOS 14.7 released July 21, 2021 ActionKit Available for: iPhone 6s and later, iPad Pro […]
- ipython3 may execute code from the current working directory July 23, 2021Posted by Georgi Guninski on Jul 23Summary: under certain circumstances, ipython3 may execute code from the current working directory. This might be a problem if the current working directory is not trusted. python3 is safe. Tested on ubuntu 20. The following session illustrates it: [email protected]:~/tests/dir2$ pwd /home/joro/tests/dir2 [email protected]:~/tests/dir2$ ipython3 --version 7.13.0 [email protected]:~/tests/dir2$ ls ~/tests/dir1 a.py […]
- Cross-site Scripting vulnerability in Ampache 4.4.2 July 23, 2021Posted by Daniel Bishtawi via Fulldisclosure on Jul 23Hello, We are informing you about a Cross-site Scripting vulnerability in Ampache 4.4.2. Information -------------------- Advisory by Netsparker Name: Cross-site Scripting vulnerability in Ampache 4.4.2 Affected Software: Ampache Affected Versions: 4.4.2 Homepage: http://ampache.org/ Vulnerability: Cross-Site Scripting Severity: High Status: Fixed CVSS Score (3.0): 7.4 (High) Netsparker Advisory […]
- CFP for Hardwear.io Netherlands 2021 July 23, 2021Posted by Andrea Simonca on Jul 23Hardwear.io Security Trainings and Conference Netherlands 2021 28-29 October 2021, NH Hotel Den Haag, The Netherlands https://hardwear.io/netherlands-2021/ It is a pleasure to invite you to bring forward your cutting-edge research at Hardwear.io Netherlands 2021: Important Dates Deadline for submission: 20 August 2021 Notification of acceptance: 3 September 2021 Security […]
Tempo di lettura stimato: 6 minuti Ogni giorno sentiamo parlare di qualche nuova minaccia o vulnerabilità in ambi… https://t.co/nlHWBfE6QU
Tempo di lettura stimato: 9 minuti Agile working and smart working are now a daily reality for many workers. W… https://t.co/FXpigfCLJ8
Tempo di lettura stimato: 9 minuti Ormai, lavoro agile e smart working sono una realtà quotidiana per molti lavor… https://t.co/AVUdOnRQB7
Tempo di lettura stimato: 9 minuti Nel periodo 2019-2020 si è notato un drammatico aumento del 1160% dei file PDF… https://t.co/78xe9tC59h
Tempo di lettura stimato: 9 minuti There was a dramatic 1160% increase in malicious PDF files in 2019-2020. It… https://t.co/kB9TNUmDfE