5 things I learned about HTTP2 in an afternoon

This is a blog post for my future self as a reference for what I learned by googling and reading around the topic of networks and HTTP2.

What problems does HTTP2 try to solve?

In general, the web has a couple of issues today that people try to fix:

Performance -> Slow websites, either on mobile devices, remote areas or bloated web apps themselves
Data usage -> There are still countries where people pay for bytes that go over the air
Power consumption -> The power consumption has direct link to CO2 emission, which data centers try to keep low
Privacy -> Is the web secure? Is your privacy secure?

Lets deep dive into the technical world... (photo from http://gratisography.com/ )

When we look at performance from a technical point of view, there are some issues like:

Latency of the Internet

-> Round Trip Time of bytes is still not great
RTT via ping (ICMP) from Los Angeles to Zurich is about 150ms https://wondernetwork.com/pings/Los+Angeles/Zurich
If you consider the speed of light and the distance from Los Angeles to Zurich, this is not bad. A calculated RTT directly from L.A. to Zurich should be around 30ms

Establishing 1 connection is slow

TCP has a 3-way handshake that is slower than the ICMP ping. https://serverfault.com/a/210850
Establishing lots of those connections to consume a website should be avoided obviously.

The web is bloated

HTML, JS, CSS, Images,
All those things are huge in modern websites but don't need to be
--> It's our job as developers to keep this reasonable!!
HTTP Headers are bloated

Figure: Bloated HTTP Headers, more samples on https://blog.fefe.de/?ts=aa031bbb

What problems of the above does HTTP2 try to solve?

The 3 problems above are addressed by HTTP2, but HTTP2 introduces new problems. More to that later...

HTTP 1.1 solved 2 issues

1. Feature: Connection Keep-Alive

Figure: HTTP Connection Keep-Alive from https://en.wikipedia.org/wiki/HTTP_persistent_connection

Solves the problem of lots of little connections that are slow to establish.

--> This is used a lot around the world and improved performance a lot.

2. HTTP1.1 Feature: HTTP Pipelining

Figure; HTTP1.1 Pipelining Visualization, from https://en.wikipedia.org/wiki/HTTP_pipelining

Solves the latency problem, so that a client can request many resources in 1 batch of requests.

The downside of HTTP1.1 Pipelining

The server needs to respond in the same order that the requests came in. This means the server needs to have some sort of state to manage that. This increases complexity on the server side and allows potential DoS attacks.
A DoS attack could be launched by sending 100 requests to a server and then idling on the client, the server has no chance to detect if this 100 requests are legit or not
Head of line Blocking: A potential slow first response blocks all subsequent responses

Because these issues, HTTP Pipelining failed to gain adoption.

Now comes HTTP2 onto the field with SPDY as its predecessor.

First, what is HTTP2?

The main focus of HTTP2 was to improve end-user perceived performance, the 3 technical performance points above.

HTTP2 is not a ground up rewrite of the HTTP protocol.
It includes the following features:

is binary, instead of textual
is fully multiplexed, instead of ordered and blocking

can, therefore, use 1 connection for parallelism

uses header compression to reduce overhead
allows servers to “push” responses proactively into client caches

All the details are nicely explained in the very readable specification on https://http2.github.io/. See the references for more details.

What new problems are there with HTTP2?

Server side complexity

Header compression and Connection State Handling are hard

This causes complex website configurations
Buggy Webserver (and remember they have a huge attack surface)
More CPU consumption and CO2 emissions

1 connection as single point of failure

With HTTP1 you can lose some connections and the site still loads ok-ish, depending from what you loose
With HTTP2 if you lose that connection, the whole thing is gone

The politics around the specification hindered innovation.

Sadly HTTP2 is a missed opportunity to fix more of the issues mentioned at the beginning

What did you learn about HTTP2 recently?
Do you care about HTTP2? Something you were waiting for?

References:

https://http2.github.io/
https://blog.fefe.de/?ts=aa031bbb
http://queue.acm.org/detail.cfm?id=2716278

https://varvy.com/performance/tcp-connection-time.html

http://royal.pingdom.com/2007/06/01/theoretical-vs-real-world-speed-limit-of-ping/
http://jkle.in/http2
https://hpbn.co/http2/

2 comments:

home special service said...: Some changes in the technical world should be aimed at solving the priority problems. The security of user data should be on the first place.; 30 July, 2019 20:21
Peter Gfader said...: Yes I agree. User data security and Privacy thereof should be higher on the priority list!; 01 August, 2019 12:42

Peter Gfader 's Blog