Protecting truckloads of data on the information superhighway

SSL Journal

Subscribe to SSL Journal: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get SSL Journal: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


SSL Journal Authors: Gilad Parann-Nissany, Liz McMillan, Lori MacVittie, Mark O'Neill, RealWire News Distribution

Related Topics: Cloud Computing, SSL Journal, SEO Journal, Facebook on Ulitzer, Microsoft Developer, Amazon Cloud Journal, CIO/CTO Update, Java in the Cloud

Blog Feed Post

Review of HTTP 2.0 – The Ever-Changing Web We Live In

Here’s a few definitions to get you up to speed

Review of HTTP 2.0 – The Ever-Changing Web We Live In
By: Aaron Croyle

You may have heard recently that Facebook will be implementing SPDY. In that light I’d like to give you a basic understanding of the upcoming improvements to HTTP (HyperText Transfer Protocol). As you probably know, this is the protocol that moves most of the HTML documents and images around the web.

Here’s a few definitions to get you up to speed:

HTTP/2.0
This is the new version of HTTP currently in development by the httpbis working group of the IETF. The last update was HTTP 1.1 as described in RFC 2616 in 1999.

TLS
Transport Layer Security is an upgrade to SSL v3.0 (Secure Sockets Layer). It operates at the transport layer to encrypt application-specific protocols such as HTTP, FTP, SMTP, etc.

TLS NPN
Next Protocol Negotiation is an extension to TLS which allows the application layer to negotiate which protocol should be preformed over the secure connection in a manner which avoids additional round trips and which is independent of the application layer protocols.

HTTP/1.1 Upgrade Header
The Upgrade general-header allows the client to specify what additional communication protocols it supports and would like to use if the server finds it appropriate to switch protocols.

There are a few competing specs attempting to become blessed by the IETF as HTTP/2.0. SPDY (by Google), and HTTP Speed+Mobility (by Microsoft) are the leaders, along with Network-Friendly HTTP Upgrade. So far, only SPDY has seen real world implementation. Each are described below:

SPDY
SPDY improves browsing in two ways: 1) SSL encryption is forced for all sites 2) Simply put, it’s just plain faster. It has the largest user base of the three HTTP/2.0 proposals and is included in Firefox 13 (June 2012) and Google Chrome (since Chrome 11 in April 2011). It’s reported that Amazon uses SPDY between the Kindle Fire Silk browser and their EC2 cloud rendering engines.

HTTP Speed+Mobility
Microsoft’s own alternative to SPDY. “The main departures from SPDY are to address the needs of mobile devices and applications.”

Network-Friendly HTTP Upgrade
Immature spec. Lacks client implementations. Focus is on reduction of header overhead by binary encoding and header reuse within streams. Note that its incompleteness was intentional as it was not meant to be a complete proposal, but rather to be used to study alternative compression and upgrade schemes.

Feature Comparison

SPDY HTTP Speed+Mobility Network-Friendly HTTP Upgrade
Header Compression Yes -
Mandatory use of zlib compression
Yes -
But provides a Flag to disable compression of the header block.
Yes -
Header names binary encoded. Grouping of headers that would be common to all messages on a single connection.
Multiplexing
- Pipelining multiple transfers on a single connection
Yes Yes Yes
Transport Layer Encryption Not required,
but current implementations use TLS to encrypt transport
Required to be optional Not Addressed
Zero Latency Upgrade Not required,
but current implementations use TLS NPN to achieve this
No -
Additional round trip required for the Upgrade header
No -
Additional round trip required for the Upgrade header
Per-request flow control -
Each stream in a multiplexed connection can manage the rate at which data flows
Supported in SPDY/3 Supported Missing, but TBD
Server Push Yes Client must opt to enable No

Read the original blog entry...

More Stories By Hurricane Labs

Christina O’Neill has been working in the information security field for 3 years. She is a board member for the Northern Ohio InfraGard Members Alliance and a committee member for the Information Security Summit, a conference held once a year for information security and physical security professionals.