Fork me on GitHub
#off-topic
<
2022-06-07
>
littleli12:06:47

Yesterday HTTP/3 was finally standardized as RFC 9114 https://www.rfc-editor.org/rfc/rfc9114.html Very nice article explaining the core concepts: https://www.smashingmagazine.com/2021/08/http3-core-concepts-part1/ (TIL)

🎉 3
p-himik12:06:53

> HTTP/3 always runs over https://en.wikipedia.org/wiki/QUIC (not the https://en.wikipedia.org/wiki/Transmission_Control_Protocol of TCP/IP, which QUIC is a replacement for) > QUIC is used by more than half of all connections from the Chrome web browser to Google's servers Huh, that makes me feel old.

Martynas M14:06:37

Can you show any example webpages that use quic? How do I inspect them via dev tools?

p-himik14:06:27

My guess is that you won't see any difference. The Network tab doesn't delve deeper than the HTTP protocol.

p-himik14:06:54

So it's not about web pages, it's about clients (browsers) and servers.

dharrigan14:06:46

@U028ART884X if you use chrome (or chromium), open up the developer tools, click on the network tab, click on the right columns, add protocol (to accompany name, status, type, initiator, size, time)

dharrigan14:06:05

if the protocol is h3, then that's http/3, aka quic

👍 1
dharrigan14:06:10

you could, of course, use wireshark to capture quic traffic too

littleli14:06:55

Do you? I mean, it's always encrypted, right? So what are you going to see?

dharrigan14:06:21

Oh there are lots of things you can get from quic that is not just the content. For example, they may be interested in how the actual quic packet is constructed.

dharrigan14:06:31

It's not all about stuff on a webpage.

Martynas M14:06:41

I couldn't find it in the place you told so I went here and looked for quic: <chrome://flags/> Edit: I think I enabled it and restarted my browser but webpage https://cloudflare-quic.com/ doesn't say I have it enabled. I don't know what I'm doing. Probably I need to reboot my computer..? 😄 Firefox doesn't play along either. Edit2: the page that they show makes almost no distinction between 2 and 3rd version. It worked but you have to look for HTTP/3 and not 2. It also suggests reloading in every case which is misleading.

Wanja Hentze08:06:28

> Oh there are lots of things you can get from quic that is not just the content. For example, they may be interested in how the actual quic packet is constructed. Right, but QUIC is purposefully designed s.t. you can tell very very little about the structure of its packets by looking at the crypttext

Wanja Hentze08:06:06

This is not primarily a security feature but intended as a countermeasure against network protocol ossification. Time has shown that network protocols obey Hyrum's law very very strongly, insofar that if you make anything about your protocol easily observable to third parties (random routers, firewalls and other middleboxes), they will start relying on this always staying like it is today. That's why we can never add a new transport protocol directly on top of IP (too many middleboxes block anything that's not {TCP, UDP, ICMP}) and that's why QUIC uses UDP even though it doesn't really need it. While we can not really reverse ossification, we can hope to prevent it going any further, so that if HTTP 4 will get an even better transport protocol, it can get away with only having UDP legacy nonsense, not UDP and QUIC legacy nonsense

👍 1