HTTP/2 explained

Developer:IETF

HTTP/2 (originally named HTTP/2.0) is a major revision of the HTTP network protocol used by the World Wide Web. It was derived from the earlier experimental SPDY protocol, originally developed by Google.[1] [2] HTTP/2 was developed by the HTTP Working Group (also called httpbis, where "" means "twice") of the Internet Engineering Task Force (IETF).[3] [4] HTTP/2 is the first new version of HTTP since HTTP/1.1, which was standardized in in 1997. The Working Group presented HTTP/2 to the Internet Engineering Steering Group (IESG) for consideration as a Proposed Standard in December 2014,[5] [6] and IESG approved it to publish as Proposed Standard on February 17, 2015 (and was updated in February 2020 in regard to TLS 1.3 and again in June 2022).[7] [8] The initial HTTP/2 specification was published as on May 14, 2015.[9]

The standardization effort was supported by Chrome, Opera, Firefox,[10] Internet Explorer 11, Safari, Amazon Silk, and Edge browsers.[11] Most major browsers had added HTTP/2 support by the end of 2015.[12] About 97% of web browsers used have the capability (and 100% of "tracked desktop" web browsers)., 36% (after topping out at just over 50%) of the top 10 million websites support HTTP/2.[13]

Its successor is HTTP/3, a major revision that builds on the concepts established by HTTP/2.[14] [15]

Goals

The working group charter mentions several goals and issues of concern:[16]

Differences from HTTP/1.1

The proposed changes do not require any changes to how existing web applications work, but new applications can take advantage of new features for increased speed. HTTP/2 leaves all of HTTP/1.1's high-level semantics, such as methods, status codes, header fields, and URIs, the same. What is new is how the data is framed and transported between the client and the server.[17]

Websites that are efficient minimize the number of requests required to render an entire page by minifying (reducing the amount of code and packing smaller pieces of code into bundles, without reducing its ability to function) resources such as images and scripts. However, minification is not necessarily convenient nor efficient and may still require separate HTTP connections to get the page and the minified resources. HTTP/2 allows the server to "push" content, that is, to respond with data for more queries than the client requested. This allows the server to supply data it knows a web browser will need to render a web page, without waiting for the browser to examine the first response, and without the overhead of an additional request cycle.[18]

Additional performance improvements in the first draft of HTTP/2 (which was a copy of SPDY) come from multiplexing of requests and responses to avoid some of the head-of-line blocking problem in HTTP 1 (even when HTTP pipelining is used), header compression, and prioritization of requests.[19] However, as HTTP/2 runs on top of a single TCP connection there is still potential for head-of-line blocking to occur if TCP packets are lost or delayed in transmission.[20] HTTP/2 no longer supports HTTP/1.1's chunked transfer encoding mechanism, as it provides its own, more efficient, mechanisms for data streaming.[21]

History

Genesis in and later differences from SPDY

SPDY (pronounced like "speedy") was a previous HTTP-replacement protocol developed by a research project spearheaded by Google.[22] Primarily focused on reducing latency, SPDY uses the same TCP pipe but different protocols to accomplish this reduction. The basic changes made to HTTP/1.1 to create SPDY included "true request pipelining without FIFO restrictions, message framing mechanism to simplify client and server development, mandatory compression (including headers), priority scheduling, and even bi-directional communication".[23]

The HTTP Working Group considered Google's SPDY protocol, Microsoft's HTTP Speed+Mobility proposal (SPDY based), and Network-Friendly HTTP Upgrade.[24] In July 2012, Facebook provided feedback on each of the proposals and recommended HTTP/2 be based on SPDY.[25] The initial draft of HTTP/2 was published in November 2012 and was based on a straight copy of SPDY.[26]

The biggest difference between HTTP/1.1 and SPDY was that each user action in SPDY is given a "stream ID", meaning there is a single TCP channel connecting the user to the server. SPDY split requests into either control or data, using a "simple to parse binary protocol with two types of frames".[23] [27] SPDY showed evident improvement over HTTP, with a new page load speedup ranging from 11% to 47%.[28]

The development of HTTP/2 used SPDY as a jumping-off point. Among the many detailed differences between the protocols, the most notable is that HTTP/2 uses a fixed Huffman code-based header compression algorithm, instead of SPDY's dynamic stream-based compression. This helps to reduce the potential for compression oracle attacks on the protocol, such as the CRIME attack.

On February 9, 2015, Google announced plans to remove support for SPDY in Chrome in favor of support for HTTP/2.[29] This took effect starting with Chrome 51.[30] [31]

Development milestones

Date Milestone
December 20, 2007[32] [33] First HTTP/1.1 Revision Internet Draft
January 23, 2008[34] First HTTP Security Properties Internet Draft
Early 2012[35] Call for Proposals for HTTP 2.0
October 14 – November 25, 2012[36] [37] Working Group Last Call for HTTP/1.1 Revision
November 28, 2012[38] [39] First WG draft of HTTP 2.0, based upon draft-mbelshe-httpbis-spdy-00
Held/EliminatedWorking Group Last Call for HTTP Security Properties
September 2013[40] [41] Submit HTTP/1.1 Revision to IESG for consideration as a Proposed Standard
February 12, 2014[42] IESG approved HTTP/1.1 Revision to publish as a Proposed Standard
June 6, 2014[43] Publish HTTP/1.1 Revision as
August 1, 2014 – September 1, 2014[44] Working Group Last call for HTTP/2
December 16, 2014 Submit HTTP/2 to IESG for consideration as a Proposed Standard
December 31, 2014 – January 14, 2015[45] IETF Last Call for HTTP/2
January 22, 2015[46] IESG telechat to review HTTP/2 as Proposed Standard
February 17, 2015 IESG approved HTTP/2 to publish as Proposed Standard
May 14, 2015[47] Publish HTTP/2 as
February 2020

HTTP/2 with TLS 1.3

June 2022

Further refinements

April 2024 DOS issues with CONTINUATION frames https://kb.cert.org/vuls/id/421644

Encryption

HTTP/2 is defined both for HTTP URIs (i.e. without TLS encryption, a configuration which is abbreviated in) and for HTTPS URIs (over TLS using ALPN extension[48] where TLS 1.2 or newer is required, a configuration which is abbreviated in).

Although the standard itself does not require usage of encryption,[49] all major client implementations (Firefox,[50] Chrome, Safari, Opera, IE, Edge) have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.[51]

Criticisms

Development process

The FreeBSD and Varnish developer Poul-Henning Kamp asserts that the standard was prepared on an unrealistically short schedule, ruling out any basis for the new HTTP/2 other than the SPDY protocol and resulting in other missed opportunities for improvement. Kamp criticizes the protocol itself for being inconsistent and having needless, overwhelming complexity. He also states that the protocol violates the protocol layering principle, for example by duplicating flow control that belongs in the transport layer (TCP). He also suggested that the new protocol should have removed HTTP Cookies, introducing a breaking change.

Encryption

Initially, some members of the Working Group tried to introduce an encryption requirement in the protocol. This faced criticism.

Critics stated that encryption has non-negligible computing costs and that many HTTP applications actually have no need for encryption and their providers have no desire to spend additional resources on it. Encryption proponents have stated that this encryption overhead is negligible in practice.[52] Poul-Henning Kamp has criticized the IETF for hastily standardizing Google's SPDY prototype as HTTP/2 due to political considerations.[53] [54] [55] The criticism of the agenda of mandatory encryption within the existing certificate framework is not new, nor is it unique to members of the open-source community a Cisco employee stated in 2013 that the present certificate model is not compatible with small devices like routers, because the present model requires not only annual enrollment and remission of non-trivial fees for each certificate, but must be continually repeated on an annual basis.[56] In the end the Working Group did not reach consensus over the mandatory encryption,[49] although most client implementations require it, which makes encryption a de facto requirement.

The HTTP/2 protocol also faced criticism for not supporting opportunistic encryption, a measure against passive monitoring similar to the STARTTLS mechanism that has long been available in other Internet protocols like SMTP. Critics have stated that the HTTP/2 proposal goes in violation of IETF's own "Pervasive Monitoring Is an Attack", which also has a status of Best Current Practice 188.[57] RFC7258/BCP188 mandates that passive monitoring be considered as an attack, and protocols designed by IETF should take steps to protect against passive monitoring (for example, through the use of opportunistic encryption). A number of specifications for opportunistic encryption of HTTP/2 have been provided,[58] [59] [60] of which draft-nottingham-http2-encryption was adopted as an official work item of the working group, leading to the publication of in May 2017.

TCP head-of-line blocking

Although the design of HTTP/2 effectively addresses the HTTP-transaction-level head-of-line blocking problem by allowing multiple concurrent HTTP transactions, all those transactions are multiplexed over a single TCP connection, meaning that any packet-level head-of-line blocking of the TCP stream simultaneously blocks all transactions being accessed via that connection. This head-of-line blocking in HTTP/2 is now widely regarded as a design flaw, and much of the effort behind QUIC and HTTP/3 has been devoted to reduce head-of-line blocking issues.[61] [62]

Server-side support

See main article: Comparison of web server software.

Server software

The following web servers support HTTP/2:

Content delivery networks

Implementations

See also

External links

Notes and References

  1. Web site: HTTP/2 finished, coming to browsers within weeks. Bright, Peter. February 18, 2015. Ars Technica . live . https://web.archive.org/web/20190330154621/http://arstechnica.com/information-technology/2015/02/http2-finished-coming-to-browsers-within-weeks/ . Mar 30, 2019 .
  2. News: Cimpanu. Catalin. HTTP-over-QUIC to be renamed HTTP/3 . Nov 12, 2018 . en. ZDNet. 2018-11-19.
  3. News: Thomson. M. . Belshe . M. . R. . Peon . November 29, 2014 . Hypertext Transfer Protocol version 2: draft-ietf-httpbis-http2-16. Ietf Datatracker. HTTPbis Working Group. February 11, 2015.
  4. Web site: IETF HTTP Working Group. httpwg.org . en. 2019-12-15.
  5. Web site: History for draft-ietf-httpbis-http2-16. January 3, 2015. IETF. "2014-12-16 IESG state changed to Publication Requested".
  6. Web site: Wait for it – HTTP/2 begins Working Group Last Call!. https://web.archive.org/web/20141006091749/https://msopentech.com/blog/2014/08/06/wait-for-it-http2-begins-working-group-last-call/. Raymor. Brian. August 6, 2014. Microsoft Open Technologies. October 6, 2014. 2018-10-17.
  7. Protocol Action: 'Hypertext Transfer Protocol version 2' to Proposed Standard (draft-ietf-httpbis-http2-17.txt). February 17, 2015. The IESG. February 18, 2015. httpbis.
  8. Web site: HTTP/2 Approved. Mark Nottingham. Internet Engineering Task Force. ietf.org. February 18, 2015. March 8, 2015.
  9. RFC 7540 - Hypertext Transfer Protocol Version 2 (HTTP/2). IETF. May 2015. 10.17487/RFC7540 . May 14, 2015. Belshe . M. . Peon . R. . Thomson . M. . M . Thomson . free .
  10. Web site: See what's new in Firefox!. February 2015. Mozilla Foundation. www.mozilla.org.
  11. Web site: Can the rise of SPDY threaten HTTP?. October 2011. Restlet, Inc.. blog.restlet.com. July 23, 2012. https://web.archive.org/web/20140106205213/http://blog.restlet.com/2011/10/06/can-the-rise-of-spdy-threaten-http/. January 6, 2014. dead.
  12. Web site: "HTTP/2" Can I use... Support tables for HTML5, CSS3, etc . 2023-04-03 . canIuse.com.
  13. Web site: Usage of HTTP/2 for websites. World Wide Web Technology Surveys. W3Techs. July 10, 2023.
  14. Hypertext Transfer Protocol Version 3 (HTTP/3) . Bishop. Mike . 2019-07-09. Ietf Datatracker. en. 2019-07-31.
  15. Web site: Cloudflare, Google Chrome, and Firefox add HTTP/3 support. ZDNet. September 26, 2019. September 27, 2019. dmy-all. Catalin. Cimpanu.
  16. Web site: HTTP (httpbis) . Internet Engineering Task Force Datatracker . live . https://web.archive.org/web/20240106112614/https://datatracker.ietf.org/wg/httpbis/charter/ . Jan 6, 2024 .
  17. Book: Chapter 12: HTTP 2.0. https://hpbn.co/http2/. High Performance Browser Networking. Ilya Grigorik. O'Reilly Media, Inc.. HTTP/2 does not modify the application semantics of HTTP in any way.
  18. Web site: Pratt. Michael. Apiux. March 19, 2014. apiux.com.
  19. News: HTTP 2.0 First Draft Published. Dio Synodinos . November 2012. C4Media Inc. . InfoQ.com.
  20. Web site: How does HTTP/2 solve the Head of Line blocking (HOL) issue. Javier Garza. October 2017.
  21. Hypertext Transfer Protocol Version 2 (HTTP/2). Mike. Belshe. Martin. Thomson. tools.ietf.org. en. 2017-11-17. Roberto. Peon. M. . Thomson . May 2015. 10.17487/RFC7540 . HTTP/2 uses DATA frames to carry message payloads. The "chunked" transfer encoding defined in Section 4.1 of [RFC7230] MUST NOT be used in HTTP/2. free.
  22. Web site: S&M vs. SPDY: Microsoft and Google battle over the future of HTTP 2.0. ExtremeTech. Sebastian Anthony. March 28, 2012.
  23. Web site: Grigorik. Ilya. Life beyond HTTP 1.1: Google's SPDY.
  24. News: Proposal for a Network-Friendly HTTP Upgrade. March 29, 2012. Willy Tarreau. Amos Jeffries. Adrien de Croy. Poul-Henning Kamp. Network Working Group. Internet Engineering Task Force.
  25. Web site: HTTP2 Expression of Interest. Doug Beaver. July 15, 2012. mailing list. W3C.
  26. Web site: Dio Synodinos . 2012-11-30 . HTTP/2 First Draft Published . InfoQ .
  27. Book: Ilya, Grigorik. HTTP/2 : a new excerpt from high performance browser networking. O'Reilly Media. 2015. 9781491932483. May 2015, First. Sebastopol, Calif.. 211–224. 1039459460.
  28. Web site: SPDY: An experimental protocol for a faster web. The Chromium Projects.
  29. Web site: Hello HTTP/2, Goodbye SPDY. Chromium Blog. Update: To better align with Chrome's release cycle, SPDY and NPN support will be removed with the release of Chrome 51. . 2015-02-09. Chris Bentzel. Bence Béky.
  30. Web site: API Deprecations and Removals in Chrome 51 . TL;DR: Support for HTTP/2 is widespread enough that SPDY/3.1 support can be dropped..
  31. Web site: Shadrin. Nick. Supporting HTTP/2 for Google Chrome Users NGINX. NGINX. July 10, 2017. June 7, 2016.
  32. Web site: Nottingham, Mark. June 7, 2014. RFC2616 is Dead. September 20, 2014.
  33. Web site: December 20, 2007. [//tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-00 HTTP/1.1, part 1: URIs, Connections, and Message Parsing: draft-ietf-httpbis-p1-messaging-00]. September 20, 2014.
  34. Web site: January 23, 2008. [//tools.ietf.org/html/draft-ietf-httpbis-security-properties-00 Security Requirements for HTTP: draft-ietf-httpbis-security-properties-00.txt]. September 20, 2014.
  35. Web site: Nottingham, Mark. January 24, 2012. Rechartering HTTPbis. September 20, 2014.
  36. Web site: Nottingham, Mark. October 14, 2012. Working Group Last Call for HTTP/1.1 p1 and p2. September 20, 2014.
  37. Web site: Nottingham, Mark. October 23, 2012. Second Working Group Last Call for HTTP/1.1 p4 to p7. September 20, 2014.
  38. Web site: November 28, 2012. [//tools.ietf.org/html/draft-ietf-httpbis-http2-00 SPDY Protocol: draft-ietf-httpbis-http2-00]. September 20, 2014. HTTPbis Working Group.
  39. Web site: Nottingham, Mark. November 30, 2012. First draft of HTTP/2. September 20, 2014.
  40. Web site: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. June 6, 2014 . live. https://web.archive.org/web/20140813234916/https://datatracker.ietf.org/doc/rfc7230/. August 13, 2014. September 20, 2014. mdy-all . Fielding . Roy T. . Reschke . Julian .
  41. Web site: October 21, 2013. Last Call: (Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing) to Proposed Standard. September 20, 2014. The IESG.
  42. Protocol Action: 'Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing' to Proposed Standard (draft-ietf-httpbis-p1-messaging-26.txt). February 12, 2014. January 18, 2015. ietf-announce. The IESG.
  43. RFC 7230 on Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. June 6, 2014. January 18, 2015. ietf-announce. The RFC Editor Team.
  44. Web site: Nottingham, Mark. August 1, 2014. Working Group Last Call: draft-ietf-httpbis-http2-14 and draft-ietf-httpbis-header-compression-09. September 7, 2014. HTTP Working Group.
  45. Web site: 2014. Last Call: <draft-ietf-httpbis-http2-16.txt> (Hypertext Transfer Protocol version 2) to Proposed Standard from The IESG on 2014-12-31. January 1, 2015. Internet Engineering Task Force.
  46. Web site: IESG Agenda: 2015-01-22. dead. https://web.archive.org/web/20150115201808/https://datatracker.ietf.org/iesg/agenda/. January 15, 2015. January 15, 2015. IETF. mdy-all.
  47. RFC 7540 on Hypertext Transfer Protocol Version 2 (HTTP/2). The RFC Editor Team. May 14, 2015. ietf-announce.
  48. RFC 7301 - Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension. IETF. July 2014. 10.17487/RFC7301 . Friedl . S. . Popov . A. . Langley . A. . Stephan . E. . free .
  49. Web site: HTTP/2 Frequently Asked Questions. September 8, 2014. IETF HTTP Working Group.
  50. Web site: Networking/http2. MozillaWiki. September 7, 2014.
  51. Web site: HTTP/2 Implementation Status. mnot’s blog.
  52. Web site: Is TLS Fast Yet?. Ilya. Grigorik. 30 December 2015.
  53. HTTP/2.0 – The IETF is Phoning It In (Bad protocol, bad politics). January 6, 2015. ACM Queue. Poul-Henning . Kamp . Poul-Henning Kamp.
  54. 10.1145/2717515. Http/2.0. Communications of the ACM. 58. 3. 40. 2015. Kamp. P. H.. 20337779.
  55. ietf-http-wg@w3.org . Re: Last Call: (Hypertext Transfer Protocol version 2) to Proposed Standard. January 7, 2015. January 12, 2015. Poul-Henning . Kamp . Poul-Henning Kamp.
  56. ietf-http-wg@w3.org. Mandatory encryption *is* theater. August 25, 2013. January 26, 2015. Eliot. Lear.
  57. ietf-http-wg@w3.org. Re: Last Call: (Hypertext Transfer Protocol version 2) to Proposed Standard. January 9, 2015. January 12, 2015. Constantine A.. Murenin.
  58. Web site: [//tools.ietf.org/html/draft-hoffman-httpbis-minimal-unauth-enc-01 Minimal Unauthenticated Encryption (MUE) for HTTP-2: draft-hoffman-httpbis-minimal-unauth-enc-01]. Internet Engineering Task Force. Paul Hoffman.
  59. Web site: [//tools.ietf.org/html/draft-nottingham-http2-encryption-03 Opportunistic Encryption for HTTP URIs: draft-nottingham-http2-encryption-03]. Internet Engineering Task Force. Mark Nottingham. Martin Thomson.
  60. News: Opportunistic Security for HTTP: draft-ietf-httpbis-http2-encryption-01. Internet Engineering Task Force. Mark Nottingham. Martin Thomson. Ietf Datatracker .
  61. Web site: A Quick Look at QUIC. www.circleid.com. en. 2019-08-02. Geoff . Huston. 2019-03-04.
  62. Web site: The Full Picture on HTTP/2 and HOL Blocking. Gal. Shauli. 2017-06-22. Medium. en. 2019-08-03.
  63. Web site: http/2 module for apache httpd. July 28, 2015.
  64. Web site: Apache 2.4.17 release changelog. August 22, 2017.
  65. Web site: mod_spdy is now an Apache project. Matthew Steele. June 19, 2014. Google Developers Blog.
  66. Web site: Log of /httpd/mod_spdy. February 3, 2017 . svn.apache.org.
  67. Web site: Apache Tomcat Migration. July 29, 2016.
  68. Web site: Apache Traffic Server Downloads. trafficserver.apache.org. September 21, 2015.
  69. Web site: Server. Caddy Web. Caddy 2 - The Ultimate Server with Automatic HTTPS. 2020-08-08. caddyserver.com. March 23, 2016.
  70. Web site: 2016-08-02. Charles 4 has HTTP/2. 2020-10-12. Public Object. en.
  71. Web site: 3 Simple Steps to Bring HTTP/2 Performance to Legacy Web Applications. September 22, 2015.
  72. Web site: Sucuri += HTTP/2 — Announcing HTTP/2 Support. Sucuri. November 27, 2015 . December 5, 2015.
  73. Web site: Goodbye SPDY, Hello HTTP/2. September 18, 2015. Robert Haynes. F5 Networks.
  74. Web site: New features, capabilities added to Barracuda Web Application Firewall. Risov Chakrabortty. July 5, 2016 . Barracuda Networks.
  75. Web site: H2O - the optimized HTTP/2 server. h2o.examp1e.net.
  76. Web site: What's New in HAProxy 1.8. haproxy.com. February 9, 2018. November 2017 .
  77. Web site: Jetty change log. May 28, 2015. Eclipse Foundation.. May 28, 2015.
  78. Web site: LSWS 5.0 Is Out – Support for HTTP/2, ESI, LiteMage Cache. April 17, 2015.
  79. Web site: HTTP/2: The Long-Awaited Sequel. October 8, 2014. Rob Trace. David Walp. MSDN IEBlog. Microsoft Corporation.
  80. Web site: Netty.news: Netty 4.1.0.Final released. netty.io. June 1, 2016.
  81. Web site: nginx changelog. www.nginx.com. 2015-09-22.
  82. Web site: Changes with nginx 1.14.2 . December 4, 2018 . nginx.org . 2019-09-27.
  83. Web site: Node v8.13.0 (LTS). Foundation. Node js. Node.js. November 20, 2018 . en. 2019-06-05.
  84. Web site: Node http2. www.github.com. July 26, 2016.
  85. Web site: Node v8.4.0 (Current). nodejs.org. August 15, 2017.
  86. News: ASP.NET Core 2.2.0-preview1: HTTP/2 in Kestrel. 2021-04-06. en-US.
  87. Web site: OpenLiteSpeed 1.4.5 change log. February 26, 2015. LiteSpeed Technologies, Inc.. February 26, 2015.
  88. Web site: Pulse Virtual Traffic Manager. August 22, 2017.
  89. Web site: Radware Combines an Integrated HTTP/2 Gateway with its Leading Fastview Technology to Provide Web Server Platforms Increased Acceleration. July 20, 2015.
  90. Web site: www.shimmercat.com. March 23, 2016. March 23, 2016. March 31, 2022. https://web.archive.org/web/20220331025648/https://www.shimmercat.com/. dead.
  91. Web site: Why PageCDN, and what problem does it solve?. PageCDN. January 11, 2020.
  92. Web site: HTTP/2 is here! Goodbye SPDY? Not quite yet. CloudFlare. December 5, 2015.
  93. Web site: Krasnov. Vlad. Announcing Support for HTTP/2 Server Push. CloudFlare. May 18, 2016. April 28, 2016.
  94. Web site: Amazon CloudFront now supports HTTP/2. Amazon Web Services, Inc.. 2016-09-08.
  95. Web site: Announcing Limited Availability for HTTP/2. June 30, 2016 . August 22, 2017.
  96. Web site: HTTP/2 is here: What You Need to Know. November 1, 2015.
  97. Web site: HTTP/2 more at risk to cyber attacks?. 2016-08-03. Information Age. en. 2019-02-04.