Last month a decision was made. HTTP/2 which has been in the works for quite some time, and now it is out there in the wild. What does that mean to us all?
In order to read these words here, you are already using HTTP (or more accurately, its secure variant known as HTTPS). It is the transport protocol that is used to communicate between a browser and a web server in order to fetch web pages. It is also used for doing RESTful API calls. The problem is, that the version used is HTTP/1.1, dated 1999.
For those who remember 1999:
- We had no iPhone. Or Android. Apple was minuscule and irrelevant as a company
- Nokia, on the other hand, was already a giant
- No one browsed on a phone. SMS and voice at most. And I had no mobile phone of my own (=life was good)
- Most of us used Windows 95, or Windows 98 at that time
- VMware, virtualization, Dockers, Cloud, SaaS – didn’t exist
- Nobody cared about IOT (Internet of Things)
- We just barely scratched the surface of what VoIP is – we had no Skype
- No one thought about 100 million of monthly active users. Just having a million registrations for a service was huge
- Yahoo was a force to be reckon with
- I just got married
That’s too long for a protocol to live and survive.
We’ve been patching it ever since to meet our growing needs. Be it security, interactivity, responsiveness, scale, etc.
So HTTP/2 was born, probably out of a push by Google with their homegrown SPDY protocol – a protocol they used in Chrome and their web assets to improve speed and increase server scale.
The official FAQ page of HTTP/2 does a good job of explaining the rationale behind it.
HTTP/2 had brings with it 3 main capabilities:
- Improve performance – web pages get downloaded faster and servers can scale to serve more browsers simultaneously
- Security – it is there by default (more about it later)
- Server push – a server can decide to send data to the web browser even if it doesn’t ask for it (call it clairvoyance on the part of the web server)
This will affect how developers build websites by making some of the dirty hacks they use today irrelevant. This should make live easier for everyone.
There are other aspects I am interested in though…
Security
There was a huge debate over security with HTTP/2. Many pushed towards mandating it, similar to how WebRTC has only encrypted media. Others wanted to have a non-secure option – either because they saw it as an overhead tax to pay in resources, the need to pay for SSL certificates or just because they wanted sniffing rights.
In the last minute, it was decided to drop the mandatory encryption from HTTP/2.
The funny thing is, that the companies that matter decided to implement HTTP/2 only in its secure variant: Chrome, Firefox AND Internet Explorer all have only a TLS based HTTP/2. This may change – some of these browser vendors may have implemented only the secure variant because that’s was the general intent prior to the publication of the final HTTP/2 draft. Some may decide to leave it as is – working towards a more private internet for the end users.
The sad thing is that these browser vendors may change their mind – and also with anything related to Apple – we are clueless as to their plans.
Another aspect that didn’t make it into HTTP/2 is Opportunistic Encryption, a topic I’ve written about on TechTarget recently.
Signaling protocols
Signaling protocols can use multiple transports. Just talking to WebRTC vendors, I’ve noticed those doing REST, XHR, SSE and BOSH. These all run on top of HTTP. Many have moved to using Websocket instead.
Will the new capabilities of HTTP/2 compete with Websocket in getting developers back to using signaling on top of it? Would developer start using the server push capability for bidirectional requests? Only time will tell.
My feeling is that HTTP/2 breathes new life into HTTP and as an extension to REST based APIs – reducing the need for Websocket for some.
So how do you go about adding HTTP/2 to your website?
You don’t. If you are “small” enough and all you have is a website, then rely on others. For this website of mine, I am using CloudFlare. They offer a CDN service with a free tier. This speeds up my website and reduces the load on the hosting service I use (which makes me pay less). CloudFlare are busy implementing the latest technologies out there. They have SPDY running, and will probably switch to HTTP/2 soon.
This means I don’t even care if my web hosting vendor will support it or not – I am covered.
If you have something a bit more complex in mind, or you want to take advantages of some of the more advanced capabilities that HTTP/2 brings, you may need to have to implement it on your own.
Why is it important?
If you are working with anything that requires web, then this is something you should know and decide how to deal with.
It also affects how mobile apps are built, as most of them use REST (running on top of HTTP) to communicate with their server.
In a way, it affects everyone…