5 things I learned about HTTP2 in an afternoon

This is a blog post for my future self as a reference for what I learned by googling and reading around the topic of networks and HTTP2.

What problems does HTTP2 try to solve?

In general, the web has a couple of issues today that people try to fix:
  1. Performance -> Slow websites, either on mobile devices, remote areas or bloated web apps themselves 
  2. Data usage -> There are still countries where people pay for bytes that go over the air
  3. Power consumption -> The power consumption has direct link to CO2 emission, which data centers try to keep low
  4. Privacy -> Is the web secure? Is your privacy secure?
Lets deep dive into the technical world... (photo from http://gratisography.com/ )



When we look at performance from a technical point of view, there are some issues like:
  1. Latency of the Internet 
    1. -> Round Trip Time of bytes is still not great 
    2. RTT via ping (ICMP) from Los Angeles to Zurich is about 150ms https://wondernetwork.com/pings/Los+Angeles/Zurich
      If you consider the speed of light and the distance from Los Angeles to Zurich, this is not bad. A calculated RTT directly from L.A. to Zurich should be around 30ms
  2. Establishing 1 connection is slow
    1. TCP has a 3-way handshake that is slower than the ICMP ping. https://serverfault.com/a/210850
    2. Establishing lots of those connections to consume a website should be avoided obviously. 
  3. The web is bloated
    1. HTML, JS, CSS, Images,  
      All those things are huge in modern websites but don't need to be
      --> It's our job as developers to keep this reasonable!!
    2. HTTP Headers are bloated 

Figure: Bloated HTTP Headers, more samples on https://blog.fefe.de/?ts=aa031bbb

What problems of the above does HTTP2 try to solve? 

The 3 problems above are addressed by HTTP2, but HTTP2 introduces new problems. More to that later...
  
  

HTTP 1.1 solved 2 issues

1. Feature: Connection Keep-Alive



Figure: HTTP Connection Keep-Alive from https://en.wikipedia.org/wiki/HTTP_persistent_connection

Solves the problem of lots of little connections that are slow to establish.
--> This is used a lot around the world and improved performance a lot.

2. HTTP1.1 Feature: HTTP Pipelining

Figure; HTTP1.1 Pipelining Visualization, from https://en.wikipedia.org/wiki/HTTP_pipelining 

Solves the latency problem, so that a client can request many resources in 1 batch of requests.

  
The downside of HTTP1.1 Pipelining
  1. The server needs to respond in the same order that the requests came in. This means the server needs to have some sort of state to manage that. This increases complexity on the server side and allows potential DoS attacks. 
  2. A DoS attack could be launched by sending 100 requests to a server and then idling on the client, the server has no chance to detect if this 100 requests are legit or not
  3. Head of line Blocking: A potential slow first response blocks all subsequent responses
Because these issues, HTTP Pipelining failed to gain adoption.

Now comes HTTP2 onto the field with SPDY as its predecessor.



First, what is HTTP2?

The main focus of HTTP2 was to improve end-user perceived performance, the 3 technical performance points above.

HTTP2 is not a ground up rewrite of the HTTP protocol.
It includes the following features:
  • is binary, instead of textual
  • is fully multiplexed, instead of ordered and blocking
    • can, therefore, use 1 connection for parallelism
  • uses header compression to reduce overhead
  • allows servers to “push” responses proactively into client caches

All the details are nicely explained in the very readable specification on https://http2.github.io/. See the references for more details.

  

What new problems are there with HTTP2?

  • Server side complexity
    • Header compression and Connection State Handling are hard
      • This causes complex website configurations
      • Buggy Webserver (and remember they have a huge attack surface)
      • More CPU consumption and CO2 emissions
  • 1 connection as single point of failure
    • With HTTP1 you can lose some connections and the site still loads ok-ish, depending from what you loose
    • With HTTP2 if you lose that connection, the whole thing is gone
  • The politics around the specification hindered innovation.
    • Sadly HTTP2 is a missed opportunity to fix more of the issues mentioned at the beginning
What did you learn about HTTP2 recently?
Do you care about HTTP2? Something you were waiting for?



References:

2 comments:

home special service said...

Some changes in the technical world should be aimed at solving the priority problems. The security of user data should be on the first place.

Peter Gfader said...

Yes I agree. User data security and Privacy thereof should be higher on the priority list!

Post a Comment

Latest Posts

Popular Posts