GlobalSign Blog

HTTP/3: Has your company adopted it yet?

HTTP/3: Has your company adopted it yet?

What is HTTP protocol?

When accessing websites, you may have noticed that the web address begins with HTTP. Standing for “Hypertext Transfer Protocol,” HTTP is the foundation for any data exchange happening in the web. The client and the server communicate through individual message exchange, where the client sends requests and the server answers with messages called response. HTTP allows web browsers, such as Mozilla or Google Chrome, to communicate with the server where the website is hosted.

HTTP is continuously evolving and is used to upgrade security and reliability in the world wide web.

In this blog, we will cover everything you need to know about the latest HTTP protocol known as HTTP/3. So, hold on to your hat, as there will be some technical terms ahead that may be difficult to digest at first, but with careful explanation will ultimately be worth it.

What is the latest HTTP protocol?

Since its creation in 1991, HTTP has gone through multiple milestone versions starting with HTTP/0.9 that allowed clients to retrieve HTML documents from the server. Fast forward to 2022, HTTP/3 has been standardized by the Internet Engineering Task Force (IETF). This latest version of the HTTP features improvements in connection speed and stability.

How much faster is HTTP/3?

HTTP/3 takes pride in being fast. It reduces connection time significantly by decreasing the number of handshakes required to build a secure session. This is made possible through the shift from Transmission Control Protocol (TCP) that is used in HTTP/2 to User Datagram Protocol (UDP). The use of UDP enables quicker user experience and connections.

In a test done by Request Metrics that requested three different sites from a computer in Minnesota to a datacentre in London, HTTP/3 was found to be 600ms faster than HTTP/2 for small sites, 1200ms faster for content sites, and 1000ms faster for Single Page Applications. This evidences the improvement from HTTP/3’s predecessor!

General_http_banner_assets_1_APAC_09_08_2022.png

Is HTTP/3 a UDP and where is it being used?

The transition from being TCP-based to UDP-based is the biggest change from HTTP/2 to HTTP/3. The successor runs on QUIC, relying on the UDP to increase efficiency and speed in data transmission.

Right now, various websites have already transitioned to HTTP/3. Facebook and Google have shifted to this new version. Overall, HTTP/3 is deemed beneficial for websites that would require faster action time.

What is a UDP?

To understand HTTP/3 better, let us first discuss what UDP is. This is a communications protocol that establishes low-latency and loss-tolerating connections on the web. UDP is very useful for time-sensitive transmissions, as it speeds up communications through sending data packets, called datagrams, directly without forming a firm connection with the receiver.

HTTP/3: A UDP-Based Protocol

From TCP that is used in HTTP/2, HTTP/3 is a UDP-based protocol that significantly boosts data transmission speed. Through QUIC, HTTP/3 adapts to the needs of a fast-paced world, where time-sensitive activities such as streaming, online gaming, and using voice over IP (VoIP) applications are heavily used.

Why does HTTP/3 use UDP instead of TCP?

TCP’s major downside is head-of-line blocking. With the requirement for packets to arrive in order, if one packet is lost, then the entire process will stop until it is retransmitted. Therefore, TCP connections tend to be slower.

HTTP/3 fixes this problem through using UDP, allowing data transmission to proceed despite lost packets. This makes it more robust in poor network conditions and in cases where users are moving between networks. HTTP/3 provides flexibility and efficiency for its users.

What is HTTP/3?

Previously known as HTTP-over-QUIC, HTTP/3 is an upgrade from HTTP/2. Using QUIC means HTTP/3 relies on UDP – establishing faster connections and providing low-latency and high performance.

General_http_banner_assets_cover_1_APAC_09_08_2022.png

What is QUIC?

We keep talking about QUIC, but what is it really? QUIC (Quick UDP Internet Connections), initially developed by Google, is an encrypted transport protocol that uses UDP communications protocols to make web browsing more efficient. This is designed for portable devices that switch networks multiple times in a day. Developed in 2012, QUIC was adopted by the IETF as they started creating the HTTP/3 standard.

What is QUIC protocol used for?

From the name itself, QUIC prioritizes speed and is often used for applications and services that require high-speed transmissions. The use of QUIC is beneficial for platforms catering to activities like streaming, watching videos, conferencing, and instant messaging. Moreover, QUIC has also been adopted by platforms that require stable and fast connections.

So far, the Google umbrella (including YouTube, Hangouts, and Blogger), Facebook, and other top websites are now all QUIC-based.

HTTP/3 and QUIC

HTTP/1.1 and HTTP/2 have used TCP as their transport. While HTTP/2 gives multiplexing, TCP constrains its capabilities in the event packet loss happens. On the other hand, HTTP/3 runs through QUIC, an improvement that aims to fix the head-of-line blocking issue of HTTP/2.

Using QUIC allows HTTP/3 to function efficiently, removing the need for a TCP three-way handshake. This feature massively reduces connection establishment latency.

Is QUIC same as HTTP/3?

Others often confuse QUIC with HTTP/3. While not the same, HTTP/3 uses QUIC, and QUIC could be labelled as the foundation of the newest HTTP version.

HTTP/3 security

Upgrades in HTTP often increase reliability, performance, and security of the protocol. The evolution to HTTP/3 boasts security feature improvements in various areas:

HTTP/3 offers end-to-end encryption. While TCP ensures that payload encryption is present through data transmission, transport-specific information may still be unencrypted. With HTTP/3 using QUIC, information is encrypted by default including window, packet flag, and options. This helps protect data from attacks during transport. HTTP/3 ensures TLS secure connectivity. QUIC uses TLS 1.3 and has mandated encryptions for all connections, ensuring security. QUIC also establishes cryptographic protections using the keys from the TLS handshake. QUIC provides full forward secrecy, even to initial messages between the user-agent and server. HTTP/3 eliminates any IP spoofing attacks.

HTTP/3 and HTTPS

Using HTTPS (S stands for secure) instructs browsers on TLS involvement in communications. TLS ensures that data is encrypted and unreadable despite possible attacks. In HTTP/2 and older versions, HTTPS may not be automatic. However, TLS is built in QUIC, ensuring secure connections through encryption.

Is HTTP/3 secure?

With its encryption capabilities and other security features, HTTP/3 is the most secure version of HTTP, lowering the possibility of breaches caused by IP-spoofing and manipulator-in-the-middle attacks.

HTTP/3 advantages and disadvantages

Using HTTP/3 poses multiple benefits to its users. HTTP/3 offers a faster transmission of packets, more stable internet connection, shorter loading times, and advanced security measures.

These advantages are a response to the weak points of TCP. Digital bottlenecks are present in HTTP/2, as TCP stops the transmission process in the event of lost packets. HTTP/3 runs through QUIC that is built for more flexible users, maintaining stable connection despite network changes. Because of end-to-end encryption, HTTP/3 significantly improves security on the internet.

Despite the advantages, HTTP/3 can cause challenges especially in its initial adoption. There is a potential lack of monitoring support. Network appliances, such as application firewalls, reverse/forward proxies, and security event monitoring tools do not fully support HTTP/3. Thus, most detection tools may not be able to flag QUIC attacks. This problem, however, could be solved once full adaptation for QUIC has been implemented to improve security tools.

Should I use HTTP/3?

If your business aims to increase productivity, connection reliability, and overall security in the technological space, then you surely could benefit from using HTTP/3. Major websites have now adopted this latest version!

Who uses HTTP/3

W3Techs has reported that 25% of the top 10 million websites now use HTTP/3. Some of the popular sites using HTTP/3 include Google, Facebook, YouTube, Instagram, and recently, CNN, Airbnb, IMDB and Indeed.

HTTP/3 vs HTTP/2 vs HTTP 1.1

Both HTTP/1.1 and HTTP/2 are HTTP-over-TCP. Both these versions share semantics. uses methods like GET and POST to ensure that requests and responses reach their destinations as traditionally formatted messages. The key difference is HTTP/1.1 transfers messages in plain-text, while HTTP/2 encodes the messages into binary, allowing for significantly different delivery model possibilities. This property of HTTP/2 addresses the performance issue of HTTP/1, reducing memory and processing footprint throughout the network.

However, there remains to be processing issues in HTTP/2 mostly due to TCP’s method of transmitting packets. Head-of-line blocking is still prevalent, and HTTP/3 is developed to solve this. Being an HTTP-over-QUIC, HTTP/3 reduces latency and decreases the effect of packet loss. This enables a faster connection establishment and zero round-trip time (0-RTT). Aside from this, QUIC offers end-to-end encryption by default, mitigating attacks throughout transport.

How to turn on HTTP/3

HTTP/3 can be manually enabled in your browser. In Chrome, HTTP/3 can be enabled by launching the command line: --enable-quic --quic-version=h3-27:

Firefox requires at least Firefox 75. This can be done through setting network.http.http3.enabled to true in about:config.

HTTP/3 can also be enabled in other browsers.

Which browsers are compatible with HTTP/3?

Multiple browsers are now compatible with HTTP/3. Below table shows the list of browsers that support HTTP/3:

Browser Version
Edge 87-103
Firefox 88-104
Chrome 87-106
Opera 74-87
Android Browser 97-103
Samsung Internet 14-17

Edge and HTTP/3

Edge fully supports HTTP/3 starting 2020. The new version of HTTP is enabled by default in Edge 87 onwards. Edge 79 was also the first version based on Chromium.

Firefox and HTTP/3

Beginning April 2021, Firefox 88 has fully supported HTTP/3 and is enabled by default.

Chrome and HTTP/3

Earlier versions of Chrome implemented other drafts of QUIC. However, Chrome was formally fully supporting HTTP/3 in version 87 starting April 2020.

Upgrading to HTTP/3 can surely help in your organization’s goal to achieve improved efficiency, reliability, flexibility, and security. Make the switch now and experience enhanced connection performance through QUIC!

Share this Post

Related Blogs