Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

HTTP/2 promises better performance -- but with security caveats

Maria Korolov | Dec. 19, 2016
No security problems have been found in the HTTP/2 protocol itself, it's worth waiting for everything to shake out

The new Internet communication protocol, HTTP/2, is now being used by 11 percent of websites -- up from just 2.3 percent a year ago, according to W3Techs.

The new protocol does offer better performance, but there is no particular rush to upgrade, and it's backwards-compatible with the previous protocol, HTTP/1.1.

No security problems have been found in the protocol itself, but there are vulnerabilities in some implementations and the possibility of lower visibility into internet traffic, so it's worth waiting for everything to shake out.

The pressure to switch is likely to come from lines of business, said Graham Ahearne, director of product management at security firm Corvil.

"They look to give their customers a faster, more responsive experience on their websites and e-commerce portals," he said.

But there are some nuances, with data volumes and new emerging vulnerabilities, that enterprises will need to keep an eye out for, he added.

"New is good, but also means unproven, which can lead to unanticipated exploitable exposures," he said.

The HTTP/1.1 protocol has been around for about 16 years, and is the underlying messaging standard for requesting web pages and associated resources. Requests go through one at a time, so some browsers use multiple connections to send parallel requests, which causes congestion. Web sites also use a number of tricks and workarounds to try to deliver content faster.

"It was pretty decent, but not really designed around performance," said Brett Mertens, senior product manager at Limelight Networks. "Now people are more concerned about performance."

HTTP/2 promises to address this problem with multiplexing, which especially benefits websites with lots of small objects.

"In a 1.1 world, a browser would open up four to six connections to a web servers to get the content," said Mertens. "In an HTTP/2 world, a single connection, multiplexed, understands the higher priority information to download, compresses the headers going back and forth, and all the communication is binary instead of clear text, so it's a more efficient process."

It doesn't look any different to the end user, he added, but the website might load a little faster.

Encryption not mandatory but still required

Mandatory encryption isn't built into the protocol itself. However, all current browser implementations require TLS encryption, adding a layer of security for the web.

"A lot of the security differences revolve around how it's been implemented more than the actual protocol itself," said Mertens. "Overall for security, it's a net positive and for performance it's a net positive, too."

But the encryption could be a double-edged sword for some companies, said Guy Guzner, CEO at security firm Fireglass.


1  2  3  Next Page 

Sign up for Computerworld eNewsletters.