The Internet Engineering Task Force (IETF) published the RFC for HTTP/3, the third version of hypertext transport protocol. The HTTP/3 protocol has received RFC 9114 standardization a major boost for internet security. But a hurdle for web developers.
The HTTP protocol is the backbone of the web, acting as an application layer for facilitating communication between servers and browsers, fetching resources, and transferring data. HTTPS is HTTP with additional security via encryption.
HTTP/3 is the latest revision of the HTTP protocol. HTTP/3 is designed to address some of the performance issues inherent in HTTP/2, improving the user experience, decreasing the impact of packet loss without head-of-line blocking, speeding up handshake requirements, and enabling encryption by default. It utilizes space congestion control over User Datagram Protocol (UDP).
One of the major differences in HTTP/3 is QUIC. Developed by Google, Quick UDP Internet Connections (QUIC) was adopted by the IETF, and a tailored version provides a cornerstone of HTTP/3.
Implementing QUIC sets up encrypted connections by default at the transport layer, combining handshakes into one action and encrypting the metadata exchanged between connections.
Packet numbers and header information is, removed from eavesdroppers and attackers. This improvement might potentially lower the success of manipulator-in-the-middle (MitM) attacks, IP spoofing, and denial-of-service assaults.
Encryption at the transport layer isn’t the end of the story. Akamai says that as HTTP/3 runs on QUIC, this also paves the way for future innovations in encrypted transport and communication – as we’ve already seen with the QUIC Datagram extension (RFC 9221), a technology to manage both UDP and TCP traffic securely.
The protocol also supports zero round-trip time (0-RTT), introduced in TLS 1.3, which skips the handshake requirement in trusted settings, with the downside being that this could lead to replay attacks without adequate protection.
Support for HTTP/3 has been rolled out gradually across major browsers including Google Chrome, Mozilla Firefox, and Microsoft Edge. Apple Safari also provides support and must be enabled in the ‘Experimental Features’ tab in the developer menu.
Most of the online traffic is facilitated by HTTP/2. Most current HTTP/3 requests are made by Chrome users, followed by Edge and Firefox. Safari volumes are minimal, but Cloudflare expects an uptick once Apple enables HTTP/3 to support by default.
At present, its been estimated 8% of internet traffic is HTTP/1-based, followed by HTTP/2 at 67%, and HTTP/3 at 25%.