HTTP/3: An Introduction to the Next Generation Web Protocol

Http3 introduction

Move over HTTP/2; there's a new kid on the block.

HTTP/3 is finally here, and everybody's talking about it. Well, it's actually been here for a while.

Google, Mozilla, Facebook, and other internet giants have been using this latest iteration of the hypertext transfer protocol for well over a year already to speed up the delivery (and security) of their products, and it started with Cloudflare's announcement to support their edge networks back in 2019.

What is HTTP/3?

In simple terms, HTTP/3 is the third version of HTTP. Originally dubbed HTTP/2 Semantics Using The QUIC Transport Protocol and later shortened to HTTP-over-QUIC, some intelligent guys quickly worked out that HTTP/3 was less of a mouthful, and here we are.

HTTP/3 uses QUIC (Quick UDP Internet Connections), which was originally developed by Google in 2012 as an experiment and the successor to SPDY (HTTP/2).

QUIC is a reliable, secure transport protocol that reduces latency, while HTTP/3 is the mapping of HTTP semantics on top of QUIC. This means that they're being developed and deployed in tandem.

Google reported that QUIC reduces latency of their search responses by 8.0% for desktop users (3.6% for mobile users) and reduces rebuffer rates of YouTube playbacks by 18.0% for desktop users (15.3% for mobile users).

QUIC is widely deployed and currently accounts for over 30% of Google's total egress (outbound) traffic in bytes and an estimated 7% of global internet traffic -- it is now a core part of their serving infrastructure.

Why is HTTP/3 important?

It's the newest version of the HTTP protocol, and it's the foundation of data exchange across the web between the client and server. With HTTP/1.1, the security layer was optional and rarely used on regular websites. It wasn't until Google and other search engines announced a slight ranking factor using HTTPS that adding the increased security layer became popularized. 
 

HTTP/3 enables faster, more reliable web connections that are more secure. In particular, it improves the data transfer of multiple files simultaneously (such as every time a website loads).

And, security is baked in by default using end-to-end encryption with TLS 1.3, with no option to disable it.

Maybe it's obvious, but faster websites equal better page load time, which of course, helps SEO.

What makes it different from HTTP/2?

HTTP/3 simplifies the TCP handshake, which is a 3-way handshake. It uses a verification process between the client and the server that starts with a request from the client, is acknowledged by the server, and is responded to by the client.

After these three steps are completed, a communications channel is established, and the client can now connect to the server to send and receive data. The advantage of speeding up this process with the QUIC protocol is that HTTP/3 is faster at establishing connections.

Instead of using TCP as the transport layer for each session, HTTP/3 uses QUIC, which upgrades the TCP slow start. This is going to be huge for gameplay and video streaming.

QUIC is fantastic because:

  • QUIC streams share the same connection; no additional handshakes are needed to create new ones
  • QUIC streams are delivered independently, so packet loss that affects one stream won't affect any others
  • QUIC updates are independent and are not tied to OS updates (as is the case with TCP)
  • HTTP-level streams are mapped on top of QUIC streams, so you get all of the benefits of HTTP/2 without the lag
  • It combines the TCP 3-way handshake with the TLS 1.3 handshake, so you get a connection where encryption and authentication are provided by default (and the connection is established much faster).

While it's true that some HTTP/2 features could be mapped on top of QUIC, it's not a good solution for all of them, and that's where HTTP/3 comes in.

What are the benefits of HTTP/3?

Of course, staying up-to-date with the latest protocols will give you the best internet experience, both in terms of performance and security.

But what is it about HTTP/3 that we should be getting excited about?

These are the top 3:

  • Default encryption, all connections are automatically encrypted, and the connection establishment is faster because the connection now no longer goes through the traditional TCP handshake and TLS negotiation combination.
  • Improved performance, head of line blocking is eliminated with HTTP/3, which, along with zero round trip time connection establishment, loss recovery simplification, and other changes, improves the connection performance (especially for mobile devices which often operate in sub-optimal network conditions).
  • Network migration support, connections can move across IP addresses and networks without experiencing interruptions.

What does this all mean in plain English? Quicker time-to-first-byte, along with much faster round-trips for data and enhanced security, will become the default transfer protocol across the web.

When can you expect HTTP/3?

You're already using it without knowing…

As I've already mentioned, HTTP/3 has been used by Google, Mozilla, and Facebook, among others, since late 2019 as an experimental feature -- with it currently their default web protocol in most cases.

Unfortunately, changing an internet protocol, especially one designed to replace the TCP handshake, requires interoperability where all communicating entities are, in essence, speaking the same language.

The Internet is a multi-vendor ecosystem, which means that communication involves implementing the same protocol across vendors. This puts the onus on vendors to fully build and roll out QUIC implementations to facilitate interoperability and requires open, ongoing communication between vendors.

In terms of the web, browsers that support HTTP/3 include:

  • Google Chrome, HTTP/3 is now enabled by default.
  • Microsoft Edge, using Chrome's networking stack, Microsoft follows Chrome's support of the HTTP/3 protocol.
  • Mozilla Firefox, HTTP/3 is now enabled by default.
  • Apple Safari, support for HTTP/3 can be manually enabled.

What about NGINX support for QUIC and HTTP/3?

We're quietly excited about NGINX's offering -- their roadmap was slated to fully introduce QUIC into their mainline branch by the end of 2021.

And although they emphasize that the technology preview is to be considered experimental until full integration (not for production use) until the QUIC standard is finalized, it can be implemented and compiled using three modules: http_v3_module, http_quic_module, and stream_quic_module.

A significant note is that OpenSSL does not yet support the QUIC protocol. However, you can implement HTTP/3 on NGINX by building from source using BoringSSL. And who created BoringSSL? You guessed it, Google.

EDIT: As of OpenSSL 3.3.1, the QUIC protocol is available to compile with Nginx. 

If you enable the protocol, enabling it is simple by using familiar NGINX configurations. You can follow the diagram from the resources below (and if you need further assistance, look at the recommended config here).

Below is a very quick NGINX config and server implementation example. Of course, this server block needs to be integrated with your other configuration settings.

server {
 
 # UDP listener for QUIC+HTTP/3
 listen 443 quic;
 listen [::]:443 quic;

 # TCP fallback listener for HTTP/2
 http2 on;
 listen 443 ssl;
 listen [::]:443 ssl; 
 
 # QUIC requires TLS 1.3
 ssl_protocols TLSv1.3; 
 ssl_certificate ssl/www.example.com.crt;
 ssl_certificate_key ssl/www.example.com.key;

 # Advertise that QUIC is available
 add_header 'h3=":443"; ma=864000';
}

Important note: my extensive testing shows the ordering of the quic and ssl directives do matter. 

With the above nginx config, the client (browser) will listen for QUIC first, where http3 on; is unnecessary and enabled by default. Then, the client will fallback to HTTP/2 if QUIC is unavailable in the browser. Where http2 on; is necessary, as it is disabled by default and will fallback to HTTP/1.1 otherwise.
 

HTTP/3 going forward…

By all accounts, site owners are likely to speed up their QUIC and HTTP/3 rollout, and the combination looks set to become the standard web protocol into 2022 and beyond.

A quick tool to check whether your website supports HTTP/3 can be found here. Your website hosting company should (at a minimum) support HTTP/2, which can also be tested and should successfully be supported as a fallback. 
 

If you're using our managed web hosting services, HTTP/3 is fully integrated into our web hosting as of July 4th, 2024!