>The next major version of HTTP, HTTP/3, will use QUIC instead TCP/TLS for the transport layer portion.
What an odd way of phrasing it. It should be, "The next major version of HTTP, HTTP/3, will be QUIC and so drop TCP for UDP and require CA based TLS for every single connection. Regular connections not requiring a third party corporation to approve will be impossible."
If only browsers could read/install third party certificate authorities, then you could do crazy things like serve an internal domain securely via a certificate you generated yourself, assuming the users agree to install your CA - or better yet, you could be an enterprise purchasing computers for your employees with the CA preloaded. Of course, that's not possible right now.
Just be aware that support in non-browser software is not so widespread and for something which doesn't understand the extension, it's still effectively a global CA if installed
Be that as it may, this still doesn't seem like the big deal that so many people are making it out to be. Support for HTTP/1.1 and HTTP/2 won't be going anywhere fast, so legacy software can keep doing what it's always done, can't it?
HTTP/3 can be for people/applications that value what is has to offer, and can largely be ignored otherwise.
HTTP/1.1 is the last good HTTP that is designed for a human persons' needs instead of corporate persons needs. It'll be phased out of the megacorp browsers as soon as their services no longer require it. Likely they'll say it's for security reasons. And they won't be wrong (about their use case). They'll just be ignoring humans because human projects don't earn them money.
If you don't care about older software, in particular older Macs, yes, you can proceed as follows:
1. Make CA #1
2. Make CA #2, have CA #1 sign (a certificate for) this CA with a constraint saying it is valid only for DNS names in example.com and nothing else
3. Destroy CA #1 irrevocably
4. Trust CA #1 in your browser or other relying party software
5. You can now use CA #2 to issue with your constraint.
If you care only about specific web browsers, you can modify the browser software (this is practical for Firefox and to some extent Chromium) to alter its built-in trust semantics to give you chosen CA different constraints. Firefox ships with constraints for a handful of CAs which, in Mozilla's opinion, can be afforded such limited trust so you can model your changes on how that works. https://wiki.mozilla.org/CA/Additional_Trust_Changes
Name constraints allow it, if be happier if I could import a certificate and set my own constraints in the certificate manager - “I trust this for all *.bigcorp.com domains but not for mybank.com”
It’s also commonly used over domain sockets without TLS for gRPC. Practically I’m not sure that QUIC makes a huge amount of different for public services endpoints though, you’re right.
You can make a self-signed CA certificate any time you want, and anything with a browser will let you import it AFAIK. This can be locked down on corporate Windows machines via Group Policy, so this really only affects computers already behind myriad layers of HTTP security layer gunk. You'll just have to access your home streaming server from your phone over the guest Wi-Fi.
You're right about that use case. And the business people are right about their internal use cases. But those are not what I'm talking about.
It effects human people trying to host a generally accessible public website. Since HTTP/3 using QUIC cannot establish a connection to a site without a cert the public cannot access my hypthetical HTTP/3 website unless I get a corporation to continiously approve of it (ie, letsencrypt).
Distributing my self signed CA chain to the browser mechanisms appropriate for it for every random person around the world that would try to load to my website is not realistic.
For now HTTP 1.1 is still supported by all browsers. But it won't be long till it is phased out "for security" when it no longer makes profit-sense for megacorp browsers to support it (ie, none of their services require it). And when that happens it will no longer be possible to host a website without corporation permission. That's bad.
> What an odd way of phrasing it. It should be, "The next major version of HTTP, HTTP/3, will be QUIC”
No?
Http/3 is one application of quic, but sits on top of it.
That’s why it has a separate RFC, which explains that:
> While delegating stream lifetime and flow-control issues to QUIC, a binary framing similar to the HTTP/2 framing is used on each stream. Some HTTP/2 features are subsumed by QUIC, while other features are implemented atop QUIC.
While google did design QUIC with HTTP in mind, you can use QUIC for other protocols e.g. Microsoft has shipped SMB on QUIC in Windows Server 2022. MS also supports direct QUIC uses on Xbox Series consoles and has a guide to use MsQuic with the GDK.
> MS also supports direct QUIC uses on Xbox Series consoles
This is so fucking ridiculous. Tried writing my first android app a few months ago, and for reasons wanted to do QUIC. I was absolutely sure this was going to be a no-brainer, as Google more or less being the inventor of it, or at least a very strong proponent, must have made quic a first class citizen of Android and its SDK years ago now. I mean, all their apps use it. Imagine how much in disbelief I was when I learned there is nothing available, except a library that wraps Chrome's network engine and let's you use http3 over quic, but not quic directly. You'd have to fiddle with using a 3rd party native lib and some bindings and whatnot, so I just deleted Android studio and went for a walk. Yes I'm still bitter.
I've tried to drum up my own interest in Gemini, but it feels very NIH.
Given that you can serve plaintext (or barebones HTML) over the Web and that every browser will still happily speak HTTP/1.0 or even HTTP/0.9, I don't understand the draw (other than the nostalgic aesthetic).
That's supposed to be the point. Gemini is the techie version of running off into the woods to join an anarcho-primitivist commune or an aescetic monastery.
> Only one of these downsides directly affects publishers.
on the client side it ensures that JS, ADS, trackers etc won't be there and the client can bet there will be no surprise
Gemini is the equivalent of "make the impossible states impossible"
The best a malevolent publisher can do is look at the logs, because not even the transparent pixel is allowed.
It's worth pointing out that the goal of Gemini is not to replace the WEB and that it it is still possible to publish pure HTML web sites with the same characteristics (but for how long?)
also Gemini has no headers so no cookies, that, depending on the platform, could be out of the control of the publisher.
I am working (slowly) on some Gemini project
Mainly because there is no money involved in it and monetisation is not a thing.
Gemini, for example, makes it really easy to build search engines that actually work and cannot be weaponized against their users
Because the protocol is so limited that it's impossible, or highly impractical, to follow that route (no money also means no incentive)
Yeah, I think a distinction needs to be made between bastardized JS laden applications and documents with embedded rich media. It’s interesting the four bullet points in the link all mention documents but HTTP hasn’t been about documents for a long time.
From my understanding, the draw is to “start over” and create a completely new hypertext ecosystem where script-heavy advertising-laden sites just aren't technically possible. Or, at the very least, extremely impractical. It's a moonshot, but I guess that's one of the reasons they called it Gemini, heh.
HTTP/0.9 died long ago. Chromium shows an ERR_INVALID_HTTP_RESPONSE error page, and Firefox renders the response body as preformatted plain text rather than as HTML.
A while back I hammered out an idea I call KyuWeb, which specifies a document-based web using existing standards like HTTP and reinvents as few wheels as possible. I haven't had time/skill to hammer out a complete client implementation yet, but I enjoy hearing feedback from people who have looked over the specification. Have a look and see if it's to your taste: https://github.com/GarrettAlbright/KyuWeb
I happen to be watching Steve Sanderson's Why web tech is like this presentation, which has some early history, runs the original TBL projects. Might be fun for some interested in HTTP's (and a lot of other web tech, HTML/CSS/JS's) evolution: https://www.youtube.com/watch?v=3QEoJRjxnxQ
39 comments
[ 3.1 ms ] story [ 73.1 ms ] threadWhat an odd way of phrasing it. It should be, "The next major version of HTTP, HTTP/3, will be QUIC and so drop TCP for UDP and require CA based TLS for every single connection. Regular connections not requiring a third party corporation to approve will be impossible."
Or can one install an arbitrary CA and limit it to `*.example.com`?
HTTP/3 can be for people/applications that value what is has to offer, and can largely be ignored otherwise.
1. Make CA #1 2. Make CA #2, have CA #1 sign (a certificate for) this CA with a constraint saying it is valid only for DNS names in example.com and nothing else 3. Destroy CA #1 irrevocably 4. Trust CA #1 in your browser or other relying party software 5. You can now use CA #2 to issue with your constraint.
If you care only about specific web browsers, you can modify the browser software (this is practical for Firefox and to some extent Chromium) to alter its built-in trust semantics to give you chosen CA different constraints. Firefox ships with constraints for a handful of CAs which, in Mozilla's opinion, can be afforded such limited trust so you can model your changes on how that works. https://wiki.mozilla.org/CA/Additional_Trust_Changes
It effects human people trying to host a generally accessible public website. Since HTTP/3 using QUIC cannot establish a connection to a site without a cert the public cannot access my hypthetical HTTP/3 website unless I get a corporation to continiously approve of it (ie, letsencrypt).
Distributing my self signed CA chain to the browser mechanisms appropriate for it for every random person around the world that would try to load to my website is not realistic.
For now HTTP 1.1 is still supported by all browsers. But it won't be long till it is phased out "for security" when it no longer makes profit-sense for megacorp browsers to support it (ie, none of their services require it). And when that happens it will no longer be possible to host a website without corporation permission. That's bad.
No?
Http/3 is one application of quic, but sits on top of it.
That’s why it has a separate RFC, which explains that:
> While delegating stream lifetime and flow-control issues to QUIC, a binary framing similar to the HTTP/2 framing is used on each stream. Some HTTP/2 features are subsumed by QUIC, while other features are implemented atop QUIC.
While google did design QUIC with HTTP in mind, you can use QUIC for other protocols e.g. Microsoft has shipped SMB on QUIC in Windows Server 2022. MS also supports direct QUIC uses on Xbox Series consoles and has a guide to use MsQuic with the GDK.
This is so fucking ridiculous. Tried writing my first android app a few months ago, and for reasons wanted to do QUIC. I was absolutely sure this was going to be a no-brainer, as Google more or less being the inventor of it, or at least a very strong proponent, must have made quic a first class citizen of Android and its SDK years ago now. I mean, all their apps use it. Imagine how much in disbelief I was when I learned there is nothing available, except a library that wraps Chrome's network engine and let's you use http3 over quic, but not quic directly. You'd have to fiddle with using a 3rd party native lib and some bindings and whatnot, so I just deleted Android studio and went for a walk. Yes I'm still bitter.
"An argument for Gemini."
https://en.wikipedia.org/wiki/Gemini_(protocol)#Design
Given that you can serve plaintext (or barebones HTML) over the Web and that every browser will still happily speak HTTP/1.0 or even HTTP/0.9, I don't understand the draw (other than the nostalgic aesthetic).
no trackers or ads
no need for a CA
it's much easier to create a browser for it, it's in fact something a single developer can do in a weekend project
it's not controlled by any corporation
* If you don't want JS, don't use it.
* If you don't want trackers or ads, don't put them in.
* This is the only publisher-touching downside, and LetsEncrypt is an effective mitigation.
* If you want to make a site Lynx-compatible, test it in Lynx.
* The downsides of this are too diffuse to immediately drive demand. Nobody is directly impacted by it.
on the client side it ensures that JS, ADS, trackers etc won't be there and the client can bet there will be no surprise
Gemini is the equivalent of "make the impossible states impossible"
The best a malevolent publisher can do is look at the logs, because not even the transparent pixel is allowed.
It's worth pointing out that the goal of Gemini is not to replace the WEB and that it it is still possible to publish pure HTML web sites with the same characteristics (but for how long?)
also Gemini has no headers so no cookies, that, depending on the platform, could be out of the control of the publisher.
I am working (slowly) on some Gemini project
Mainly because there is no money involved in it and monetisation is not a thing.
Gemini, for example, makes it really easy to build search engines that actually work and cannot be weaponized against their users
Because the protocol is so limited that it's impossible, or highly impractical, to follow that route (no money also means no incentive)
HTTP2+ IS HTTPS.
And it's the opposite of secure.
Use this over HTTP/1.1 instead: https://datatracker.ietf.org/doc/html/rfc2289