Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google's SPDY Could Be Incorporated Into Next-Gen HTTP

Posted by timothy on from the 10-4-gd-bdy dept.

MojoKid writes "Google's efforts to improve Internet efficiency through the development of the SPDY (pronounced 'speedy') protocol got a major boost today when the chairman of the HTTP Working Group (HTTPbis), Mark Nottingham, called for it to be included in the HTTP 2.0 standard. SPDY is a protocol that's already used to a certain degree online; formal incorporation into the next-generation standard would improve its chances of being generally adopted. SPDY's goal is to reduce web page load times through the use of header compression, packet prioritization, and multiplexing (combining multiple requests into a single connection). By default, a web browser opens an individual connection for each and every page request, which can lead to tremendous inefficiencies."

11 of 275 comments (clear)

  1. Real issue is... by blahplusplus · · Score: 5, Insightful

    ... embedded links that activate scripts/contact other adservers, etc. There is so much junk embedded in modern web-pages that most users have no clue how bad their client is being raped of accumulating identifiable information.

  2. remove that Adsense first? by Anonymous Coward · · Score: 3, Insightful

    Maybe Google could remove all the useless Google Adsense ads first because the main reason why pages load so slow is because of the million ad calls to Google?

    1. Re:remove that Adsense first? by Anonymous Coward · · Score: 3, Insightful

      Yes, because before ads, there was no culture whatsoever and people didn't communicate. What was the point anyway? It's not like you could monetize it somehow...

      Protip: in the real world, content precedes advertisements... strangely, even on the Internet... I know you're probably too young to remember, but there _was_ a time when the Internet had more content than ads. Waaaaay back.

      Also, most things on the Internet are free, because most things in the Universe are free anyway and because... if you charged money for your blog... do you think people would bother even consider paying you? LOL

      Enjoy your stupid capitalist utopia.

  3. Re:It's a secret plot by apple by scdeimos · · Score: 5, Insightful

    Hate to rain on your parade, but didn't you realize that Apple will wait three years then have a media conference introducing iSPDY as their own invention?

  4. Re:What about pipelining and keep-alive? by Chatterton · · Score: 3, Insightful

    The risk described in the page is a Denial Of Service risk.

  5. Re:What about pipelining and keep-alive? by FireFury03 · · Score: 3, Insightful

    No, HTTP suffers from head-of-line blocking.

    Head of line blocking is a feature of TCP, and my (very cursory) understanding is that SPDY still uses TCP so how is this not still a problem?

    A technologically better solution would probably be to use SCTP instead of TCP, but unfortunately suffers from the fact that SCTP is only 12 years old, so Microsoft have stated that they have no intention of ever supporting it. However, despite MS's lack of support, that doesn't prevent the possibility of using SCTP in environments where it is available.

    --
    http://blog.nexusuk.org
  6. The IMPORTANT bit about SPDY by YA_Python_dev · · Score: 5, Insightful

    I realize you guys are just kidding, but there's a very important and overlooked part of the SPDY protocol. Hopefully TPTB won't understand its implications before it's too late to stop SPDY adoption.

    You see, the way I read the spec and the way it's currently implemented, SPDY requires every single connection to be encrypted. It's not optional.

    Imagine that, a world where MITM attacks suddenly become much much harder, where your ISP doesn't inject ads in your search results, where your mobile provider cannot "help" you screwing up your HTTP connections with a transparent proxy, where the British government cannot censor a Wikipedia page, where even the small sites can be encrypted because web hosts save bandwidth money by offering this option to everyone.

    Imagine a world where net neutrality becomes much harder to break because all big protocols are encrypted all (or at least most) of the time and the deep packet inspection shit that's used much more widely than people think just doesn't work anymore.

    SSH, Freenet, Skype BitTorrent and other P2P protocols are already there. This is the chance to do it for HTTP.

    Disclaimer: I speak only for myself and not anyone else. IANARE.

    --
    There's a hidden treasure in Python 3.x: __prepare__()
    1. Re:The IMPORTANT bit about SPDY by makomk · · Score: 4, Insightful

      Imagine a world where every time you set up a website you have to fork over money to a certificate provider in order for people to be able to access your sites, where the prices for certificates are sky-high once again because the CAs know that they've got everyone over a barrel, where governments use their influence to get their own CAs into every browser and go right on ahead MITMing everything in site by painting anyone that refuses as a supporter of child porn...

    2. Re:The IMPORTANT bit about SPDY by Anonymous Coward · · Score: 4, Insightful

      My god. We might have to self-sign our own certificates.

    3. Re:The IMPORTANT bit about SPDY by Yosho · · Score: 3, Insightful

      Do you really, honestly, truly believe that the US Government needs its own CAs and can't simply ask Verisign/Symantec to hand over a valid CA for a domain they want?

      The USG doesn't want to use Verisign/Symantec's CAs. If it was using them, then it would be possible for Verisign/Symantec to sign something and make it look as though it was signed by the USG. That's why they need their own.

      (believe it or not, the government does things with SSL other than impersonate web sites so that they can do MitM attacks on civilian communications)

      --
      Karma: Terrifying (mostly affected by atrocities you've committed)
  7. What about caching proxies & web filtering? by mangobrain · · Score: 4, Insightful

    By choosing TLS as the underlying transport, inspecting traffic for debugging or monitoring purposes becomes nigh on impossible. It will only be possible to capture traffic at the application level, after decryption and decapsulation (which, depending on the nature of any given bug, may be too late), or if it originates from servers you own (i.e. the server's private key is available to you). SPDY proxies will become dumb pipes, unable to perform any sort of content caching, unless users are willing to accept that the proxy may perform MITM on their traffic. For such MITM to be feasible, users need to trust a CA certificate associated with the proxy, and rely on the proxy performing upstream certificate checks on their behalf, because the browser no longer has a single end-to-end TLS session with the origin server. In corporate and other "managed" environments, people often find this acceptable in moderation*, but I would be worried if this became the norm - it creates a mind-set whereby it's acceptable to breach users' privacy, and the more proxy vendors have incentive to implement the necessary (proprietary) code, the more scope there is for them to get it wrong, completely undermining security.

    Not to mention that introducing a mux/demux layer in between the network traffic and the individual requests/responses greatly increases the complexity needed to implement a proxy compared to plain-old HTTP.

    Losing the functionality of caching proxies would seem counter to Google's goal of speeding up the Web. Losing the ability to monitor and filter network traffic will greatly diminish the ability of schools, employers, public hotspot providers etc. to enforce acceptable usage policies, to the extent that some - especially employers - may simply resort to blocking web access outright.

    IMHO, the behaviour of SPDY proxies needs to be tightly specified, if they are going to exist. Standardise MITM behaviour, so that users and admins are aware of the pros and cons. Make it mandatory that end users are warned when MITM is taking place. Perhaps introduce new extensions, such as the ability for the proxy to establish TLS with the browser using its own certificate, but transmit a copy of any origin server certificates corresponding to proxied requests, so that the browser isn't entirely at the proxy's mercy WRT certificate verification. Perhaps introduce the ability to multiplex requests to different domains on the same connection, something a browser can't do when talking directly to distinct origin servers.

    Note that similar concerns apply to reverse proxies, used by website providers themselves to speed up their own infrastructure. It may seem desirable for both front-end caching and back-end servers to use SPDY, but establishing TLS sessions between two halves of the same infrastructure, over the LAN, will be detrimental to resource usage.

    * Bear in mind that currently, MITM is only necessary for HTTPS sites, which means that there are vast swathes of in-the-clear HTTP traffic for which caching doesn't introduce any inherent security concerns. By making *everything* use TLS, MITM becomes a consideration if you want to perform *any* caching/filtering at all, not just caching/filtering of secure sites. If there is no longer any distinction between secure and insecure sites, how does even a responsible admin know where to draw the line?