Mark Nottingham: HTTP/2 is Done
16 years after HTTP/1.1, it was about time we got something new.
Firefox 36 beta: “Support for the full HTTP/2 protocol. HTTP/2 enables a faster, more scalable, and more responsive web.”¹ Firefox 36 will be released as stable 24 February.²
¹ https://www.mozilla.org/en-US/firefox/36.0beta/releasenotes/
² https://wiki.mozilla.org/Releases#Based_on_Gecko_36
Firefox 36 has been released, with support for “the full HTTP/2 protocol”. https://www.mozilla.org/en-US/firefox/36.0/releasenotes/
Chrome, even 43 Canary, currently supports only draft 14 (h2-14). Google’s servers currently support h2-14 and h2-15. https://twitter.com/ supports the final version (h2): How the Java Virtual Machine Works - An Inside Look - SpdyCheck
Question, why is it “HTTP/2” and not “HTTP2” or “HTTP 2”? Just wondering.
Edit: I mean, I think it looks better, but is there any practical reason that I’m not thinking about?
I don’t know why there is a /, but I know it’s not new:
https://tools.ietf.org/html/rfc2616
https://tools.ietf.org/html/rfc2068
https://tools.ietf.org/html/rfc1945
HTTP/2 was called “HTTP/2.0” in the first nine drafts, and “HTTP/2” beginning with the tenth: https://tools.ietf.org/html/draft-ietf-httpbis-http2-10
SPDY also has /. SPDY/1, SPDY/2, SPDY/3, SPDY/3.1, SPDY/4 (= HTTP/2).
Not only HTTP/2 has recently been approved by the IESG.
Yesterday (24 February) draft-irtf-cfrg-chacha20-poly1305-10 and draft-ietf-tls-downgrade-scsv-05 were approved.
TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks became popular as a POODLE-mitigation. It prevents downgrade to a lower TLS-version or SSL (if supported).
ChaCha20 and Poly1305 is a fast and secure ciphersuite, one of two that can be used with HTTP/2. It has been supported by Chromium (using a patched version of NSS) and Google’s servers for some time¹. Recently CloudFlare began using it. Now that ChaCha20 and Poly1305 is approved, support will be implemented upstream in NSS, which will bring support to Firefox and Chromium on Linux (which uses the system’s NSS-library).
Support for the final version of HTTP/2 (h2) was added to Chromium 9 March¹, and is available in Chrome Canary. h2-14 is also supported. I guess h2 will be supported by this week’s Chrome Dev.
Sites using h2:
https://h2duo.cloudapp.net/
https://twitter.com/
¹ https://chromium.googlesource.com/chromium/src/+/bfa20e6cbe5fcd30909b3e271005a527526385d9
[attachment deleted by admin]
Chrome Dev 43.0.2334.0 has been released, with support for h2.
One more site using h2 (and h2-14, h2-16): https://nghttp2.org/
SPDY indicator is an extension that shows which protocol (HTTP/2, SPDY, QUIC) is used.
[attachment deleted by admin]
HTTP/2 and HPACK (Header Compression for HTTP/2) are now in AUTH48 state (Authors’ Final Review).
Here they are.
RFC 7540, Hypertext Transfer Protocol Version 2 (HTTP/2)
RFC 7541, HPACK: Header Compression for HTTP/2
A related draft was published last week: QUIC: A UDP-Based Secure and Reliable Transport for HTTP/2
More on QUIC:
Wikipedia: QUIC - Wikipedia
Chromium Projects: QUIC, a multiplexed transport over UDP
Chromium Blog: experimenting-with-quic.html | a-quic-update-on-googles-experimental.html
CloudFlare Blog: HTTP/2 is here! Goodbye SPDY? Not quite yet
Compare HTTP/1.1 and HTTP/2: Cloudflare Web Optimization | Improve Page Speed
More on HTTP/2: https://www.cloudflare.com/http2/what-is-http2/
Usage is now 2,5 %: HTTP/2 vs. SPDY usage statistics, April 2023
HTTP/2 is now used more than SPDY: HTTP/2 vs. SPDY usage statistics, April 2023
Chromium will soon drop support for SPDY: Chromium Blog: Transitioning from SPDY to HTTP/2
IE and Edge on Windows 10 support HTTP/2 but not SPDY.
[attachment deleted by admin]
RFC 7540 turns one year! 
Or rather did last night, 2015-05-14, at 23:07:33 UTC. 
That is when RFC 7540 on Hypertext Transfer Protocol Version 2 (HTTP/2) was sent.
HTTP/2 is now used by 7,5 % of all sites, while SPDY is used by 7,0 %.
49,2 % of all sites with a certificate from Comodo support HTTP/2. I believe CloudFlare has something to do with that.
Seven out of the ten most visited domains support HTTP/2.
[ol]- Google.com: HTTP/2
- Youtube.com: HTTP/2
- Facebook.com: HTTP/2
- Baidu.com
- Yahoo.com: HTTP/2
- Wikipedia.org: HTTP/2
- Amazon.com
- Twitter.com: HTTP/2
- Qq.com
- Google.co.in: HTTP/2[/ol]
Wikimedia enabled HTTP/2 2016-05-04.
[attachment deleted by admin]
HTTP/2 is now used by 10 % of all sites: https://w3techs.com/technologies/details/ce-http2/all/all
Given that HTTP/2, the way it is implemented in browsers, requires TLS, and most sites do not even have a valid certificate, 10 % is not that bad. It is also used by many of the most visited sites, which means that much more than 10 % of all traffic is delivered with HTTP/2.
HTTP/2 is rather specific with its TLS-requirements, which means that when HTTP/2 is used, a modern TLS-configuration (TLS 1.2 or higher, authenticated encryption, forward secrecy) is always used.
HTTP/2 is meant to be fast, and becomes even faster (reduced latency) when used over TLS 1.3, which is still a draft. Cloudflare, however, has already begun using TLS 1.3: Introducing TLS 1.3
From Chrome’s security information when connecting to a Cloudflare site (requires Chrome 54+ with TLS 1.3 enabled):
“The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.3), a strong key exchange (ECDHE_ECDSA), and a strong cipher (CHACHA20_POLY1305).”