What is the HTTP/3 protocol and why are Chrome and Firefox adding it?

According to web applicatioin security specialists, more and more companies are integrating support for HTTP/3, the next iteration of the HTTP protocol. Among the web browsers that have already joined this update are Google Chrome, Mozilla Firefox, besides Internet security systems like Cloudflare.

In the case of Cloudflare, from this weekend customers will be able to enable an option on their dashboards to enable HTTP3 support in their domains, the company reported. In other words, when users visit Cloudflare websites from an HTTP/3-supported client, the connection will automatically update to the new protocol, leaving previous deployments behind.

Regarding browsers, web application security experts mention that Chrome Canary has added support for the HTTP/3 protocol for a couple of weeks now. To turn it on, users should only use a command line. On the other hand, Mozilla also announced the inclusion of support for HTTP/3; the release is scheduled for the end of this fall along with the latest version of Firefox Nightly.

What exactly is HTTP/3?

HTTP/3, or HTTPv3, will be the next major version of the HTTP protocol for moving content from servers to clients through web applications, browsers, mobile apps, and more. For this new release, HTTP full protocol was rewritten, which uses the QUIC protocol instead of TCP. It also includes support for TLS.

Web application security specialists mention that HTTPv3 is the conjunction of different deployments that function as a single to make website loading faster and using encrypted connections by default.

To understand HTTP/3, it is important to understand the OSI network model. By default, HTTP (Layer 7 protocol) uses TCP (Layer 4) as the basis. In turn, TCP is used to negotiate connections between client and server and then move data between the two parties, so it is considered a transport protocol.

However, the TCP protocol was designated in the 1970s, so over time it was proven that it was not designed with transport speed in mind.  Multiple specialists tried to design a more efficient protocol. Google experts managed to create SPDY, a protocol that solved some of TCP’s flaws and ultimately officially became HTTP/2, used on about 40% of all Internet sites today.

Google engineers later discovered that it was possible to combine various implementations, such as TCP and UDP, for the creation of a completely new protocol. This was how Quick UPD Internet Connections (QUIC), a much faster Layer 4 transport protocol, was born. 

Simply put, the HTTP/3 protocol is the same as implementing QUIC inside HTTP, replacing TCP and SPDY at the transport level. According to web application security specialists at the International Cyber Security Institute (IICS), HTTPv3 was formally approved from October 2018, although there is still time for companies to integrate support and adopt its use. At the moment, approximately 3% of all existing websites have adopted HTTPv3, so the process could be lengthened.