2. How we got here
1996
HTTP 1.0
1999
HTTP 1.1
2009
SPDY 1.0
2015
HTTP 2.0
Cloud MobilityRise of the
Internet as a
Platform
Web 2.0
3. Why did we need HTTP 1.1?
• Caching
• Hierarchical proxy support
• Persistent connections
• Virtual host support
• TCP inefficiencies
• Authentication
• Issues with increasing size of content
1999
4. HTTP 1.1
HTTP/1.0
• Single request/response per connection
• Host header optional
• Limited support for caching
HTTP/1.1
• Multiple requests and responses per
connection
• Required Host header
• Conditional caching headers
• Digest authentication and proxy
authentication
• Chunked transfer encoding
• Connection header
• Enhanced compression support
HTTP/1.1 was an effort to address a number of efficiency and performance issues with HTTP/1.0
5. HTTP 1.0 vs HTTP 1.1
Client AppsClient Apps
May I have a picture
of a house please
Hello
Hello
Sure, here you go
Thanks, bye
Hello
Bye
Hello
May I have a picture of a
house please.
Hello
Hello
Here is the house
May I also have a picture
of a car.
Here is the car
Thanks, bye
Bye
7. Why did we need SPDY
• Mobile network latency
• Reduction in resource availability on mobile
clients
• Residual TCP inefficiencies carried forward
with HTTP 1.1
• Issues with increasing size and types of
content
2009
8. SPDY
HTTP/1.1
• Single request/response at a time
• Browsers use multiple connections to
achieve concurrent requests and
responses
• Requests and responses are verbose
– Text based, many headers
SPDY
• Interleave multiple requests and
responses in parallel without blocking on
any one
• Use a single connection for multiple
requests and responses in parallel
• Gzip compresses headers
• Eliminates the needs for certain HTTP/1.1
page optimization techniques
• Extras:
– Introduces request priorities
– Enables content push
• SPDY requires TLS
SPDY is a protocol, defined by Google, that offers HTTP/1.1 semantics, but uses a different wire format.
10. Why do we need HTTP/2?
• Mobile network latency
• Residual TCP inefficiencies carried forward
with HTTP 1.1
• Increasing size and types of content
• SPDY not under the auspices of a
standards body
2015
11. Differences from SPDY
SPDY
• Gzip/deflate header compression
– Largely disabled because of CRIME
• TLS mandatory
– Uses TLS extension NPN
• No crypto strength requirements
HTTP/2
• Dedicated header compression scheme
(HPACK)
• TLS optional
– Upgrade mechanism as alternative
– Uses TLS extension ALPN
• HTTP/2 requires stronger cryptography*
– Ephemeral keys only
– Preferring AEAD modes like CGM
– Minimal key sizes 128 bit EC, 2048 bit RSA
– Enforced by browsers
HTTP/2 is based on SPDY. Here are some of the differences.
12. HTTP 1.1 vs HTTP 2
Client AppsClient Apps
May I have a picture of a
house please.
Hello
Hello
Here is the house
May I also have a picture
of a car.
Here is the car
Thanks, bye
Bye
May I have a picture of a
house please.
Hello
And a car
Here is the house
Here is the car
And a cat
Here is the dog
Thanks, bye Bye
May I also have a picture
of a dog.
Here is the dog
And a dog
Here is the cat
Hello
14. Implications
The changes to HTTP/2 such as the move to a binary wire format rather than text means
HTTP/1.1 and HTTP/2 are not compatible.
While the working group did not have consensus to require security (TLS or SSL) most
browser implementations require security to take advantage of HTTP/2
This means infrastructure that interacts with HTTP must be able to speak both
HTTP/1.1 and HTTP/2
This means infrastructure will be effectively blinded as it is unable to execute
on encrypted traffic