Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

HTTP/2: The future of the Web demystified

Serdar Yegulalp | March 13, 2015
Making the most of HTTP/2 will take a lot of work on the part of Web designers, IT admins, and server jockeys. Here's what to expect.

Web frameworks will need to be upgraded. Web frameworks that sport their own embedded server must be upgraded as well. If you're deploying with a large, commonly used framework, there's a good chance it already has HTTP/2 support built in, and it simply needs to be enabled by choosing the right library or passing the proper options to it. The popular Node.js framework Express, for instance, already supports HTTP/2, although proposals do not yet appear to be on the table for how to update Python's WSGI standard for HTTP/2.

Just because you upgraded to HTTP/2 doesn't mean other people have. If you're serving a site that pulls in content from third-party providers, such as a Web traffic tracking system, there's no guarantee those connections won't be served over HTTP/1.1. This will, again, theoretically make your site load slower than if you had been using HTTP/1.1.

HTTP/2 won't add encryption for you. Even if we didn't live in a post-Snowden world, mandating encryption for HTTP connections everywhere would in theory make it far harder to get away with many common kinds of attacks carried out via HTTP. In fact, there was discussion early on in the proposal process to make HTTP/2 connection encryption mandatory, but it lost out for a variety of reasons.

That said, the browser makers -- Firefox and Chrome in particular -- have elected to support HTTP/2 only over connections where TLS is present. Thus, to get the most out of HTTP/2, you're best off deploying it with an encrypted connection, lest the people who'll most benefit from it end up never using it. If the cost of a certificate is a stumbling block, the EFF and Mozilla are at work on a plan to provide free encryption certificates for all sites that want it later this year -- right around the time HTTP/2 itself has become a full-blown entity.

This is only the beginning
It's true that we're a little ways off from these issues. Many conditions still have to be satisfied: support on the client, support on the server, and support on all the infrastructure in between -- a tall set of orders to fill. Only then will we witness how HTTP/2 performs in the real world, with all the unexpected network congestion, buggy implementations, and ad hoc solutions that comes with the Web.

Old-school HTTP/1.1 won't completely disappear for a long time. The infrastructure that emerges will have to deal with both standards side-by-side, in much the same way browsers had to be compatible with HTML 4, XHTML, and HTML 5.

HTTP/2 is no panacea. In the long term, there were likely be an attempt to address what HTTP/2 itself couldn't -- or wouldn't -- touch, such as encryption by default. Some harsh criticisms have arisen over the way HTTP/2 dropped support for security by default, but it's possible that moving from HTTP/2 to HTTP/3 will make it far easier to support secure connections as a standard -- and with HTTP/2 itself the fallback for situations where that isn't possible.


Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.