Mar 102015

The HTTP Working Group of the IETF (Internet Engineering Task Force) has approved on 17-Feb-2015 version 2 of the HTTP protocol (Hypertext Transfer Protocol 2 specification).  This new version will gradually replace the older HTTP/1.0 and HTTP/1.1 versions, that for many years have been one of the basic building blocks of the web (HTTP/1.1 was approved on 1999).

Together with HTTP/2, the Working Group has approved the HPACK specification for the compression of HTTP/2 headers.

This new version of the HTTP protocol is intended to solve the shortcomings of the previous versions, by implementing several improvements, as explained in this post.

Multiple streams over a single TCP connection

For most websites, a single page may use from 80 to more than 100 resources: images, stylesheets, javascript libraries…

In HTTP/1.0, a distinct TCP connection needed to be established for each of them.

In HTTP/1.1, a single connection can be used to download several resources, but in this case resources are downloaded sequentially, one after the other. For this reason, the mainstream browsers (Firefox, Chrome, Safari, IE) still establish several concurrent connections to the server, to download resources in parallel. Each connection uses network resources, and requires an additional setup time that is added to the total page download time.

In HTTP/2, this issue is solved setting up a procedure to perform the transfer of multiple streams over a single TCP connection,. Thus, each resource can be requested and retrieved over a stream, and resources slow to be delivered do not interfere with the delivery of lighter resources.

To be able to download all resources for a given page over a single connection, the HTTP/2 specification recommends that implementations of this protocol in browsers and web servers allow for at least 100 streams per connection.

Binary protocal and push streams

Another relevant difference between HTTP/2 and HTTP/1.x is the fact that HTTP/2 messages are sent a binary frame sequences.

Besides, in HTTP/2 the server can start the delivery of some content required for the page requested, without having to wait for a request from the client to arrive.

TLS Encryption

A large part of the HTTP/2 specification is based on the SPDY protocol developd by Google. SPDY enforced the use of TLS (Transport Layer Security ) encryption, but in HTTP/2 encryption has been kept as optional. Anyway, most software vendors have announced that their implementations will only support HTTP/2 on TLS.

HPACK Compression

For many years, gzip has been the format chosen to compress HTTP messages. But a vulnerability of this format, known as CRIME (Compression Ratio Info-leak Made Easy), was discovered in 2012

To avoid this vulnerability, the IETF HTTP Work Group has elaborated the specification of a new compression format: HPACK.

HPACK is specifically designed for the compression of HTTP/2 headers, while gzip is a general purpose compresssion format.

HTTP/2 Support

The main software vendors are already working on new versions of their products with support for HTTP/2.

The browsers Chrome 40 and Firefox 36 will include this version of the HTTP protocol, and the most popular web servers, such as Apache, are also implementing HTTP/2 in new versions of their products.


 Posted by at 9:59 am

 Leave a Reply