Avoiding HTTP/3 (for a while) as a pragmatic default

April 1, 2023

I imagine that you've heard of HTTP/3 by now; as Wikipedia describes it, it's "the third major version of the Hypertext Transfer Protocol used to exchange information on the World Wide Web". I'm generally a quiet enthusiast of adopting new HTTP things when we can (we've been reasonably prompt to add HTTP/2 to our Apache web servers when it was possible), but with HTTP/3 I think we're likely to take a much more cautious and slow approach even once HTTP/3 support is available for Apache. This is because HTTP/3 is unlike previous versions in one important way.

One of the unusual things about HTTP/3 is that it doesn't use TCP but instead a new network transport protocol, QUIC, and QUIC operates over UDP. Operating over UDP instead of TCP has a number of consequences; for example, firewalls need adjustments to let 'QUIC' traffic through and the path your QUIC traffic takes may be different than your TCP HTTP traffic. All of this creates many opportunities for different things to happen with HTTP/3 requests than with your TCP HTTP requests. Some of these different things will be one version working and the other not, and since HTTP/3 is the newer and less common version, it's the version most likely to not work.

We're not a large group of people, and we don't have a big environment where we have a lot of visibility into how traffic moves through the broad Internet. If there is a HTTP/3 specific networking issue between our web servers and people making requests to them, it's going to be basically opaque to us, especially if people reporting problems can't even see whether or not they're using HTTP/3 (which they probably can't; you have to go well out of your way to see this in Firefox, for example). With limited people and limited resources to debug problems, the conservative approach is to avoid having them entirely by not offering HTTP/3 in its relatively early days.

How long will it take for HTTP/3 to be reliable for random people in random network environments (including reliably and detectably not working)? I don't know, but I certainly don't expect it to happen right away once HTTP/3 becomes available for Apache and other common web servers.

(I'm also uncertain about how much HTTP/3 usage there is among the big players like Google, Cloudflare, and so on. They matter because they have the resources to spot and track problems specific to HTTP/3, and to get network path problems resolved. If you can't reach us because of something in your ISP, we have a problem; if you can't reach GMail for the same reason, your ISP has a problem.)

PS: All of this is of course academic until Ubuntu's version of Apache supports HTTP/3. We're quite unlikely to switch web servers to get HTTP/3, even if Apache takes much longer than other web servers to add support.

Written on 01 April 2023.
« Exploiting (or abusing) password fields for Multi-Factor Authentication
You should automate some basic restore testing of your backups »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Apr 1 22:36:02 2023
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.