HTTP/2

HTTP/2 (originally named HTTP/2.0) is the second major version of the HTTP network protocol used by the World Wide Web. It is based on SPDY.[1] HTTP/2[2] is being developed by the Hypertext Transfer Protocol working group (httpbis, where bis means "repeat" or "twice") of the Internet Engineering Task Force.[3] HTTP/2 would be the first new version of HTTP since HTTP 1.1, which was standardized in RFC 2068 in 1997. The Working Group presented HTTP/2 to IESG for consideration as a Proposed Standard in December 2014,[4][5] and IESG approved it to publish as Proposed Standard on Feb 17, 2015.[6][7]

The standardization effort came as an answer to SPDY, an HTTP-compatible protocol developed by Google[8] and supported in Chrome, Opera, Firefox, Internet Explorer 11, Safari, and Amazon Silk browsers.[9]

Goals

The working group charter mentions several goals and issues of concern:[3]

Differences from HTTP 1.1

The proposed changes do not require any changes to how existing web applications work, but new applications can take advantage of new features for increased speed.[10]

HTTP/2 leaves most of HTTP 1.1's high level syntax, such as methods, status codes, header fields, and URIs, the same. The element that is modified is how the data is framed and transported between the client and the server.[10]

Websites that are efficient minimize the number of requests required to render an entire page by minifying (reducing the amount of code and packing smaller pieces of code into bundles, without reducing its ability to function) resources such as images and scripts. However, minification is not necessarily convenient nor efficient, and may still require separate HTTP connections to get the page and the minified resources. HTTP/2 allows the server to "push" content, that is, to respond with data for more queries than the client requested. This allows the server to supply data it knows a web browser will need to render a web page, without waiting for the browser to examine the first response, and without the overhead of an additional request cycle.[11]

Additional performance improvements in the first draft of HTTP/2 (which was a copy of SPDY) come from multiplexing of requests and responses to avoid the head-of-line blocking problem in HTTP 1 (even when HTTP pipelining is used), header compression, and prioritization of requests.[12]

Genesis in and later differences from SPDY

SPDY (pronounced like "speedy") is a research project spearheaded by Google that is also an applicable protocol, designed for the transportation of information and other content on the web. SPDY primarily focuses on reducing latency. SPDY uses the same TCP pipe but different protocols to accomplish this reduction. The basic changes made to HTTP 1.1 to create SPDY include: "true request pipelining without FIFO restrictions, message framing mechanism to simplify client and server development, mandatory compression (including headers), priority scheduling, and even bi-directional communication".[13]

The httpbis working group considered Google's SPDY protocol, Microsoft's HTTP Speed+Mobility proposal (SPDY based),[8] and Network-Friendly HTTP Upgrade.[14] In July 2012 Facebook provided feedback on each of the proposals and recommended HTTP/2 be based on SPDY.[15] The initial draft of HTTP/2 was published in November 2012 and was based on a straight copy of SPDY.[16]

The biggest difference between HTTP/1.1 and SPDY, is that each user action in SPDY is given a "stream ID", meaning there is a single TCP channel connecting the user to the server. SPDY splits requests into either control or data, which is a "simple to parse binary protocol with two types of frames."[13] SPDY has shown evident improvement from HTTP, with a new page load speedup ranging from 11.81% to 47.7%.[17]

HTTP/2 uses SPDY as a jumping-off point. HTTP/2, however, uses a fixed Huffman code-based header compression algorithm, instead of SPDY's dynamic stream-based compression. This helps to reduce the potential for attacks on the protocol.

On February 9, 2015, Google announced plans to remove support for SPDY in Chrome by early 2016, in favor of support for HTTP/2, starting with Chrome 40.[18]

Encryption

HTTP/2 is defined for both HTTP URIs (i.e. without encryption) and for HTTPS URIs (over TLS, where TLS 1.2 or newer is required).[19]

Although the standard itself does not require usage of encryption,[20] most client implementations (Firefox,[21] Chrome) have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory.

Criticisms

HTTP/2 development process and the protocol itself faced a lot of criticism.

It has been pointed out that the standard was being prepared on an unrealistically short schedule, what ruled out any basis for the new HTTP/2 other than the SPDY protocol and resulted in missing a lot of ripe opportunities.[22]

The protocol itself is criticized for being inconsistent and having needless, overwhelming complexity.[22] It also violates protocol layering principle,[22] for example by duplicating flow control with transport layer (TCP). The most discussions, however, have been caused by encryption-related issues.

Encryption

Initially, some members of Working Group were trying to push encryption requirement into the protocol. This faced criticism, because encrypted connections require more server and client computing power and their initialization takes noticeably more time. Critics stated that many HTTP applications (like big news sites for example) have actually no need for encryption and their providers have no desire to spend additional resources on it. Poul-Henning Kamp, lead developer of varnish HTTP accelerator and a senior FreeBSD kernel developer, has criticised IETF for following a particular political agenda with HTTP/2.[22][23][24] The criticism of the agenda of mandatory encryption within the existing certificate framework is not new, nor is it unique to members of the open-source community – a Cisco employee pointed out in 2013 that the present certificate model is not compatible with small devices like the routers, because the present model requires not only annual enrollment and remission of non-trivial fees for each certificate, but must be continually repeated on an annual basis.[25] Working Group finally did not reach consensus over the mandatory encryption,[20] although most client implementations require it, which makes encryption a de facto requirement.

The HTTP/2 protocol also faced criticism for not supporting opportunistic encryption, a feature like STARTTLS that has long been available in other internet protocols like SMTP. It has been pointed out that the HTTP/2 proposal goes in violation of IETF's own RFC7258 "Pervasive Monitoring Is an Attack", which also has a status of Best Current Practice 188.[26] RFC7258/BCP188 mandates that passive monitoring be considered as an attack, and protocols designed by IETF should take steps to protect against passive monitoring (for example, through the use of opportunistic encryption). A number of specifications for opportunistic encryption of HTTP/2 have been provided,[27][28][29] of which draft-ietf-httpbis-http2-encryption-01 is an official work item of the working group.

Development milestones

Status Date Milestone[3]
Done Dec 20, 2007[30][31] First HTTP 1.1 Revision Internet Draft
Done January 23, 2008[32] First HTTP Security Properties Internet Draft
Done Early 2012[33] Call for Proposals for HTTP 2.0
Done Oct 14, 2012 – Nov 25, 2012[34][35] Working Group Last Call for HTTP 1.1 Revision
Done Nov 28, 2012[36][37] First WG draft of HTTP 2.0, based upon draft-mbelshe-httpbis-spdy-00
Held/Eliminated Working Group Last Call for HTTP Security Properties
Done Sep 2013[38][39] Submit HTTP 1.1 Revision to IESG for consideration as a Proposed Standard
Done Feb 12, 2014[40] IESG approved HTTP 1.1 Revision to publish as a Proposed Standard
Done June 6, 2014[30][41] Publish HTTP 1.1 Revision as RFC 7230, 7231, 7232, 7233, 7234, 7235
Done Aug 1, 2014 – Sep 1, 2014[5][42] Working Group Last call for HTTP/2
Done Dec 16, 2014[4] Submit HTTP/2 to IESG for consideration as a Proposed Standard
Done Dec 31, 2014 – Jan 14, 2015[43] IETF Last Call for HTTP/2
Done Jan 22, 2015[44] IESG telechat to review HTTP/2 as Proposed Standard
Done Feb 17, 2015[6] IESG approved HTTP/2 to publish as Proposed Standard
Planned Publish HTTP/2 as an RFC

Browser support

HTTP/HTTPS servers

Support
SPDY, but no HTTP/2
Not planned
Implementations

See also

References

  1. Bright, Peter (Feb 18, 2015). "HTTP/2 finished, coming to browsers within weeks". Ars Technica.
  2. Thomson, M. (ed. ), Belshe M. and R. Peon. "Hypertext Transfer Protocol version 2 - draft-ietf-httpbis-http2-16". ietf.org. HTTPbis Working Group. Retrieved 11 February 2015.
  3. 3.0 3.1 3.2 "Hypertext Transfer Protocol Bis (httpbis) - Charter". Internet Engineering Task Force. 2012.
  4. 4.0 4.1 "History for draft-ietf-httpbis-http2-16". IETF. Retrieved 2015-01-03. 2014-12-16 IESG state changed to Publication Requested
  5. 5.0 5.1 Raymor, Brian (August 7, 2014). "Wait for it – HTTP/2 begins Working Group Last Call!". Microsoft Open Technologies. Retrieved 2014-09-07.
  6. 6.0 6.1 The IESG (17 Feb 2015). "Protocol Action: 'Hypertext Transfer Protocol version 2' to Proposed Standard (draft-ietf-httpbis-http2-17.txt)". httpbis (Mailing list). Retrieved 18 February 2015.
  7. Mark Nottingham (February 18, 2015). "HTTP/2 Approved". www.ietf.org. Internet Engineering Task Force. Retrieved March 8, 2015.
  8. 8.0 8.1 Sebastian Anthony (March 28, 2012). "S&M vs. SPDY: Microsoft and Google battle over the future of HTTP 2.0". ExtremeTech.
  9. "Can the rise of SPDY threaten HTTP?". blog.restlet.com. Restlet, Inc. October 2011.
  10. 10.0 10.1 Ilya Grigorik. "Chapter 12: HTTP 2.0". High Performance Browser Networking. O'Reilly Media, Inc. Retrieved 19 March 2014.
  11. Pratt, Michael. "Apiux". apiux.com. Retrieved 19 March 2014.
  12. Dio Synodinos (November 2012). "HTTP 2.0 First Draft Published". InfoQ.com (C4Media Inc.).
  13. 13.0 13.1 Grigorik, Ilya. "Life beyond HTTP 1.1: Google's SPDY".
  14. Willy Tarreau; Amos Jeffries; Adrien de Croy; Poul-Henning Kamp (March 29, 2012). "Proposal for a Network-Friendly HTTP Upgrade". Network Working Group. Internet Engineering Task Force.
  15. Doug Beaver (July 15, 2012). "HTTP2 Expression of Interest" (mailing list). W3C.
  16. Dio Synodinos (2012-11-30). "HTTP/2 First Draft Published". InfoQ.
  17. "SPDY: An experimental protocol for a faster web". The Chromium Projects.
  18. Chris Bentzel; Bence Béky (2015-02-09). "Hello HTTP/2, Goodbye SPDY". Chromium Blog.
  19. Belshe, M.; Peon, R.; Thomson, M. "Hypertext Transfer Protocol Version 2, Use of TLS Features". Retrieved 2015-02-10.
  20. 20.0 20.1 "HTTP/2 Frequently Asked Questions". IETF HTTP Working Group. Retrieved 2014-09-08.
  21. 21.0 21.1 "Networking/http2". MozillaWiki. Retrieved 2014-09-07.
  22. 22.0 22.1 22.2 22.3 Kamp, Poul-Henning (2015-01-06). "HTTP/2.0 – The IETF is Phoning It In (Bad protocol, bad politics)". ACM Queue. Retrieved 2015-01-12.
  23. Kamp, P. H. (2015). "Http/2.0". Communications of the ACM 58 (3): 40. doi:10.1145/2717515.
  24. Kamp, Poul-Henning (2015-01-07). "Re: Last Call: <draft-ietf-httpbis-http2-16.txt> (Hypertext Transfer Protocol version 2) to Proposed Standard". ietf-http-wg@w3.org (Mailing list). Retrieved 2015-01-12.
  25. Lear, Eliot (2013-08-25). "Mandatory encryption *is* theater". ietf-http-wg@w3.org (Mailing list). Retrieved 2015-01-26.
  26. Murenin, Constantine A. (2015-01-09). "Re: Last Call: <draft-ietf-httpbis-http2-16.txt> (Hypertext Transfer Protocol version 2) to Proposed Standard". ietf-http-wg@w3.org (Mailing list). Retrieved 2015-01-12.
  27. Paul Hoffman. "draft-hoffman-httpbis-minimal-unauth-enc-01 - Minimal Unauthenticated Encryption (MUE) for HTTP-2". Internet Engineering Task Force.
  28. Mark Nottingham; Martin Thomson. "draft-nottingham-http2-encryption-03 - Opportunistic Encryption for HTTP URIs". Internet Engineering Task Force.
  29. Mark Nottingham; Martin Thomson. "draft-ietf-httpbis-http2-encryption-01 - Opportunistic Security for HTTP". Internet Engineering Task Force.
  30. 30.0 30.1 Nottingham, Mark (7 June 2014). "RFC2616 is Dead". Retrieved 20 September 2014.
  31. "HTTP/1.1, part 1: URIs, Connections, and Message Parsing - draft-ietf-httpbis-p1-messaging-00". December 20, 2007. Retrieved 20 September 2014.
  32. "Security Requirements for HTTP - draft-ietf-httpbis-security-properties-00.txt". January 23, 2008. Retrieved 20 September 2014.
  33. Nottingham, Mark (24 Jan 2012). "Rechartering HTTPbis". Retrieved 20 September 2014.
  34. Nottingham, Mark (14 Oct 2012). "Working Group Last Call for HTTP/1.1 p1 and p2". Retrieved 20 September 2014.
  35. Nottingham, Mark (23 Oct 2012). "Second Working Group Last Call for HTTP/1.1 p4 to p7". Retrieved 20 September 2014.
  36. "SPDY Protocol - draft-ietf-httpbis-http2-00". HTTPbis Working Group. November 28, 2012. Retrieved 20 September 2014.
  37. Nottingham, Mark (30 Nov 2012). "First draft of HTTP/2". Retrieved 20 September 2014.
  38. "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing". Archived from the original on 2014-08-13. Retrieved 20 September 2014.
  39. "Last Call: <draft-ietf-httpbis-p1-messaging-24.txt> (Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing) to Proposed Standard". The IESG. 21 Oct 2013. Retrieved 20 September 2014.
  40. The IESG (12 Feb 2014). "Protocol Action: 'Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing' to Proposed Standard (draft-ietf-httpbis-p1-messaging-26.txt)". ietf-announce (Mailing list). Retrieved 18 January 2015.
  41. The RFC Editor Team (6 Jun 2014). "RFC 7230 on Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing". ietf-announce (Mailing list). Retrieved 18 January 2015.
  42. Nottingham, Mark (1 Aug 2014). "Working Group Last Call: draft-ietf-httpbis-http2-14 and draft-ietf-httpbis-header-compression-09". HTTP Working Group. Retrieved 2014-09-07.
  43. "Last Call: <draft-ietf-httpbis-http2-16.txt> (Hypertext Transfer Protocol version 2) to Proposed Standard from The IESG on 2014-12-31". Internet Engineering Task Force. 2014. Retrieved 1 January 2015.
  44. "IESG Agenda: 2015-01-22". IETF. Archived from the original on 2015-01-15. Retrieved 15 January 2015.
  45. Nottingham, Mark (4 January 2014). "Strengthening HTTP: A Personal View". Retrieved 8 October 2014. (section "Enter Snowden")
  46. Paul, Ian (10 February 2015). "Google Chrome embraces the faster, more secure next-gen HTTP 2.0 standard". PCWorld. Retrieved 13 February 2015.
  47. "Bug 1097320". Bugzilla@Mozilla. 2014-11-26. Retrieved 2015-01-24.
  48. Patrick McManus (2014-10-03). "Bug 1047594 - Enable http/2 (and alpn) by default". Bugzilla@Mozilla. Retrieved 8 October 2014.
  49. "Firefox Notes (34.0.5)". Mozilla. 2014-12-01. Retrieved 2 December 2014.
  50. Rob Trace, David Walp (October 8, 2014). "HTTP/2: The Long-Awaited Sequel". Microsoft. Retrieved 8 October 2014.
  51. Rob Trace; David Walp (October 8, 2014). "HTTP/2: The Long-Awaited Sequel". MSDN IEBlog. Microsoft Corporation.
  52. "OpenLiteSpeed 1.4.5 change log". LiteSpeed Technologies, Inc. 2015-02-26. Retrieved 26 February 2015.
  53. "LSWS 5.0 Is Out – Support for HTTP/2, ESI, LiteMage Cache". April 17, 2015.
  54. Matthew Steele (June 19, 2014). "mod_spdy is now an Apache project". Google Developers Blog.
  55. "Log of /httpd/mod_spdy". svn.apache.org. Retrieved March 2015.
  56. "Module ngx_http_spdy_module". nginx.org. Retrieved 10 February 2015.
  57. Owen Garrett (February 25, 2015). "How NGINX Plans to Support HTTP/2". NGINX Blog. Retrieved 1 March 2015.
  58. stbuehler. "lighttpd Feature #2322 - Support for SPDY protocol". Lighttpd.

External links