This is a big deal, I think. Ten years from now we're going to look back and discover that Google quietly replaced HTTP without anybody complaining, or even noticing.
It won't replace HTTP 1.1, since billions of small sites without SSL certificates can't use it.
It might replace HTTP 1.1 if SSL certificates becomes free, automaticly generated, installed and renewed.
Otherwise most small websites (the majority of web sites on the net) without any real need for the security provided by encrypted communications (SSL) won't bother dealing with a ton of hassle (or costs) of SSL just for a minor speed improvement.
Free SSL certificates already exist, accepted by all major browsers: https://www.startssl.com/ . Does having to visit that site once a year to renew a certificate really pose a hardship?
But how do you do that? You'd have to have a non-https based landing page and then redirect to spdy based on user agent. If you actually care about SSL, the non-SSL landing page is an attack vector.
Warnings are compiler version dependent (and even optimization level dependent, surprisingly). It looks like that one was introduced by gcc 4.6, so perhaps the author of the patch was using a different version.
Chrome builds with -Werror on by default but, because of the above reason, recommends any person attempting to build it to turn it off (and provides a flag to do as much).
The other article on SPDY complained about it having SSL enabled by default. Is that really something to complain about? Isn't it one of the good things about it, because if SPDY gets adopted, it means everything becomes encrypted? And isn't that a very desirable future?
Date of the first RFC is from 2000. I wouldn't hold my breath. Besides, SPDY enablement simply relies on browser / middleware updates changes which can iterate quickly compared to networking gear that needs to support the protocol shift. This was a large factor in building SPDY on top of an existing stack.
Wait. Did I just read that right?
They want to emulate a packet (or frame) based protocol on top of a stream protocol (TCP-Stream)
which itself uses packets? That adds umm... how many overhead? Lets count:
- Data Link Layer (for instance Ethernet-Frames/Packets)
- IPv4/IPv6 - Packets
- TCP-Packets --> TCP-Stream
- SPDY-Frames --> Multiple Streams
- (Edit OK. Maybe not HTTP. Just insert here how they want to transmit the headers)
That way we not only send more useless data. We also have to dis- and reassemble everything twice.
Why not just extend the TCP-Protocol to support multiple streams? There's still unused space in the header
and we have the possibility add additional options.
Am I missing something?
I know that applications are not allowed to send raw TCP-Packets on most OSes by default. But most servers
run Linux, which could be easily patched to support such additional features. (And webhosts will have some work
to support that new protocol anyways)
SCTP requires OS support... putting SDPY on top of TCP/IP is just like any other protocol and doesn't require adding an entire new protocol that will have to be firewalled, will have to traverse across different devices that may or may not have SCTP available (such as older consumer routers).
27 comments
[ 0.31 ms ] story [ 66.9 ms ] threadIt might replace HTTP 1.1 if SSL certificates becomes free, automaticly generated, installed and renewed.
Otherwise most small websites (the majority of web sites on the net) without any real need for the security provided by encrypted communications (SSL) won't bother dealing with a ton of hassle (or costs) of SSL just for a minor speed improvement.
gcc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Wunused-function -Wunused-variable -Wunused-value -Werror -g -march=native -Ofast -fomit-frame-pointer -fstack-protector -D_FORTIFY_SOURCE=2 -flto -fwhole-program -fuse-linker-plugin -I src/core -I src/event -I src/event/modules -I src/os/unix -I objs -I src/http -I src/http/modules \ -o objs/src/http/ngx_http_spdy.o \ src/http/ngx_http_spdy.c
src/http/ngx_http_spdy.c: In function ‘ngx_http_init_spdy’:
src/http/ngx_http_spdy.c:261:34: error: variable ‘rc’ set but not used [-Werror=unused-but-set-variable]
src/http/ngx_http_spdy.c: In function ‘ngx_http_spdy_process_ping’:
src/http/ngx_http_spdy.c:1512:35: error: variable ‘c’ set but not used [-Werror=unused-but-set-variable]
src/http/ngx_http_spdy.c: In function ‘ngx_http_spdy_send_rst_stream’:
src/http/ngx_http_spdy.c:2552:35: error: variable ‘c’ set but not used [-Werror=unused-but-set-variable] cc1: all warnings being treated as errors
I would point out that the -Werror is set by the vanilla version of nginx and not a flag that I passed in.
Chrome builds with -Werror on by default but, because of the above reason, recommends any person attempting to build it to turn it off (and provides a flag to do as much).
Thanks for the quick turnaround. I got distracted with something else right after I posted this and didn't expect such a quick update.
In any case, -36 built just fine and I have verified that I now have SPDY on the server.
FWIW, the format of using
listen 443 spdy; ssl on;
works just fine too.
IMHO, SSL ought to use a fingerprint-comparison check, instead of a central cert. "This server has changed since last time. Is that OK?"
Honest question, myself being pretty new to cryptography.
In practice, you'd generally accept that the first one you receive is valid, and then watch for deviations from there.
This is the way SSH works, for instance.
Using DNSSEC we can host the fingerprint of the cert in DNS at which point an CA is not required.
[1] http://en.wikipedia.org/wiki/SCTP
- Data Link Layer (for instance Ethernet-Frames/Packets)
- IPv4/IPv6 - Packets
- TCP-Packets --> TCP-Stream
- SPDY-Frames --> Multiple Streams
- (Edit OK. Maybe not HTTP. Just insert here how they want to transmit the headers)
That way we not only send more useless data. We also have to dis- and reassemble everything twice.
Why not just extend the TCP-Protocol to support multiple streams? There's still unused space in the header and we have the possibility add additional options.
http://en.wikipedia.org/wiki/Transmission_Control_Protocol#T...
Am I missing something? I know that applications are not allowed to send raw TCP-Packets on most OSes by default. But most servers run Linux, which could be easily patched to support such additional features. (And webhosts will have some work to support that new protocol anyways)
I don't get it.
Edit: SCTP may be a suitable replacement for TCP as mentioned in some other comment. http://en.wikipedia.org/wiki/Stream_Control_Transmission_Pro...