Google's SPDY Could Be Incorporated Into Next-Gen HTTP

MojoKid writes "Google's efforts to improve Internet efficiency through the development of the SPDY (pronounced 'speedy') protocol got a major boost today when the chairman of the HTTP Working Group (HTTPbis), Mark Nottingham, called for it to be included in the HTTP 2.0 standard. SPDY is a protocol that's already used to a certain degree online; formal incorporation into the next-generation standard would improve its chances of being generally adopted. SPDY's goal is to reduce web page load times through the use of header compression, packet prioritization, and multiplexing (combining multiple requests into a single connection). By default, a web browser opens an individual connection for each and every page request, which can lead to tremendous inefficiencies."

It's a secret plot by apple

[gearloos]

Its a secret plot by Apple to fix the lag in IOS 5 Safari by getting Google to find a way to speed up web page loads to cover it up!

Re:It's a secret plot by apple

Look dude, if you're going to spread a conspiracy properly, you need to spread your ideas out to a least 3 excessively long paragraphs or raging insanity. You could have easily structured it:

-Secret plot by apple. They're evil, man.

-The secret plot happens to be cuz iOS is evil like them.
-iOS version 5 is also evil.

-They've drugged Google with evil for more evil.

Re:It's a secret plot by apple

[LeperPuppet]

Your conspiracy needs more Illuminati/Lizard People/FEMA camps/Aliens/Other batshit craziness.

Pick any two and try again

Re:It's a secret plot by apple

[scdeimos]

Hate to rain on your parade, but didn't you realize that Apple will wait three years then have a media conference introducing iSPDY as their own invention?

Re:It's a secret plot by apple

[phonewebcam]

And Microsoft to merely wrap some bloatware round it and call it their own, like they do with their "search engine".

Re:It's a secret plot by apple

[TheRaven64]

Not really. If a user opts in, installs their toolbar, and says 'use my data to improve search results' then they will use the relationship between pages in their search algorithm. They just won't explicitly exclude pages that happen to be Google from this.

It's not like Microsoft is passing searches to google.com and then using the results. If a user with the Bing toolbar installed types a term into Google and then visits a page, then that page will be captured, but it would also be captured if they followed the link from a Slashdot post.

Re:I wonder what this means for caching proxies?

[joesteeve]

Things that get refreshed often dont get cached anyways. AJAX interactions mostly.

It's going to fail

Microsoft has announced their implementation, DirectSPEW.

It's going to kill SPDY when it debuts in a few months with Windows Phone 7.1.

Hi bonch

Re:It's going to fail

[marcello_dl]

Can't tell if troll or usual MS tactic.

What about pipelining and keep-alive?

[the_other_chewey]

I realise that SPDY is about reducing the latency of HTTP connection handshakes -
but wouldn't using the already existing and even implemented HTTP 1.1 standards
for pipelining (requesting multiple resources in one request) and keep-alive (keeping
a once-established connection open for reuse) mostly remove the handshake latency
bottleneck?

Re:What about pipelining and keep-alive?

[laffer1]

When pipelining first came out, there were many buggy implementations. As a result, many browsers and web servers disabled the feature. Maybe it's time to turn it on for everything.

Re:What about pipelining and keep-alive?

[zbobet2012]

Browsers and servers almost all use persistent connections these days and have since at least the early 2000's. SPDY doesn't claim to do anything with this (the summary above is incorrect). Speedy does however implement several features of "pipelining" but in a more elegant manner. There are a host of issues with pipelining on the server side (it is a security risk, a description of why is here). SPDY effectively implements pipelining but without the associated security risks. It also implements more advanced features that allow the server to push data to the client without the client requesting it.

Re:What about pipelining and keep-alive?

[zbobet2012]

To reiterate my reply below no, pipelining offers very little gain vs true "multiplexing" and it represents a security risk.

Re:What about pipelining and keep-alive?

[grmoc]

As one of the creators of SPDY..

No, HTTP suffers from head-of-line blocking. There is no way around that.
HTTP also doesn't have header compression (which matters quite a bit on low-bandwidth pipes) nor prioritization to ensure that your HTTP, javascript and CSS load before the lolkittens :)

Re:What about pipelining and keep-alive?

[Chatterton]

The risk described in the page is a Denial Of Service risk.

Re:What about pipelining and keep-alive?

[symbolset]

Now that's a comment you don't see every day. Glad you're thinking of the lolkittens. They're precious.

Re:What about pipelining and keep-alive?

[FireFury03]

No, HTTP suffers from head-of-line blocking.

Head of line blocking is a feature of TCP, and my (very cursory) understanding is that SPDY still uses TCP so how is this not still a problem?

A technologically better solution would probably be to use SCTP instead of TCP, but unfortunately suffers from the fact that SCTP is only 12 years old, so Microsoft have stated that they have no intention of ever supporting it. However, despite MS's lack of support, that doesn't prevent the possibility of using SCTP in environments where it is available.

Re:What about pipelining and keep-alive?

Yes, the layer-4 protocol still requires in-order delivery. But lost packets is not the sort of problem SPDY is trying to solve. SCTP might also be a good idea, but you'd still want SPDY on top of it instead of HTTP because it's faster even assuming perfect, in-order packet arrival.

But SPDY adds encapsulation within the TCP stream so data frames from multiple SPDY streams can be interleaved. It's like opening a bunch of separate TCP streams (like browser do now) but with a lot less overhead. It's also less complicated to implement than HTTP pipelining because each request/response gets its own SPDY stream so the underlying HTTP server can treat them as fully independent connections.

Using with HTTP, even with pipelining, the server must respond to requests in the order they are received. So if you request something slow -- say a DB query -- and then a bunch of static images, HTTP will have to wait for the slow request, send that response, and then send the images. Using SPDY each request creates a new SPDY stream, and the server can send back responses in each stream without respect for the order in which they arrived. So in the same slow-DB + static images scenario SPDY would be able to immediately start sending back images and then send back the DB response when it was ready. SPDY could even start sending images, and when it sees that the DB response is half-ready and has a higher priority, interrupt the image transfer, send the first half of the DB response, complete the image response, and then complete the DB response.

Re:What about pipelining and keep-alive?

[WaffleMonster]

As one of the creators of SPDY..

No, HTTP suffers from head-of-line blocking. There is no way around that.
HTTP also doesn't have header compression (which matters quite a bit on low-bandwidth pipes) nor prioritization to ensure that your HTTP, javascript and CSS load before the lolkittens :)

Please tell me your joking.

SPDY is layered on top of TCP... **TCP** suffers from head-of-line blocking and therefore so does SPDY.

By collapsing everything into a single connection you induce *more* latency on low speed, high latency connections because the chance of idling the link when waiting for an ACK/response with one TCP session or waiting for the next request increases vs multiple concurrent TCP sessions.

You don't need to invent a new protocol for header compression if you intend to always use TLS anyway. That is stupid... Just enable compression within TLS.

I would love to see a prioritzation scheme that works but the cold hard truth is you won't get much better than simple hurestics that don't require prioritization anyway. Dependancy graph is discovered late and simply isn't knowable ahead of time. You can do something like PGO to figure it out but this only works with static content.

If we are going to bother with a new protocol it needs to be a new *IP* layer protocol or at least layered on UDP... Anything less is akin to purchasing "Internet accelerator software" from an infomercial.

Re:What about pipelining and keep-alive?

[ArsenneLupin]

**TCP** suffers from head-of-line blocking and therefore so does SPDY

Head-of-line blocking may happen at different levels.

In the case of pipelined HTTP, if the first request in the pipeline is slow, it will block all the others, because answers have to be delivered in order.

A smarter protocol could take a "tagged" approach, where each response is tagged, and thus can be associated with the correct request even if delivered out of order. IIRC, imap uses an approach like this.

Re:What about pipelining and keep-alive?

[petermgreen]

It seems to me like it would be a big win for ssl sites.

Consider a browser visits a ssl site. First they have to open a ssl connection and download the page. Then they have a few choices.

1: download all the items sequentially using the same connection (obviously slow and bad)
2: open multiple connections (wasting time and processing power on multiple ssl handshakes)
3: use pipelining and hope they don't hit an item that is slow to retrive and blocks everything else.

With spdy they can just open one ssl connection and do everything over it without having requests block each other.

Re:What about pipelining and keep-alive?

[swillden]

Yes, but the number of streams is limited. Also, that approach puts it on the browser to decide which pieces to get in which order, whereas SPDY allows those decisions to be shifted to the server, which can presumably know a lot more about the content it's delivering. Multiplexing rather than using separate connections should also reduce server load.

Re:What about pipelining and keep-alive?

[grmoc]

SPDY goes further-- not only are requests and responses on separate streams asynchronous, but the parts of the different responses can be interleaved. The only head-of-line blocking here is based on the TCP buffering or the maximum frame size for SPDY (we typically use 4k frames).

Re:What about pipelining and keep-alive?

[grmoc]

Yes. Pipelining support was optional in HTTP/1.1 effectively.
Multiplexing in SPDY is so essential that if you mess it up, Google (and probably all other sites that use SPDY) won't work at all.
People are thus strongly motivated to get it right, which wasn't true of many of HTTP/1.1's effectively optional features.

Re:What about pipelining and keep-alive?

[kangasloth]

I wouldn't presume to accuse the engineers behind SPDY of ignoring the existing work in the space. I did take exception to the immediate parent's dismissive and inaccurate characterization of SCTP. That protocol is a worthy attempt to solve real problems at the most technically desirable layer. SPDY looks to be a good piece of engineering, inventing only as much as necessary to achieve a well defined benefit. I cannot fault its creators for that.

I stand behind my assertion that SPDY will succeed at the expense of SCTP. There are finite resources available for such work and those two protocols are in direct competition. After all the investment by browser implementors, web server vendors, proxies, reverse proxies, etc to support the former, can you really see any interest in doing so all over again for only modest direct benefit? If you succeed, then that constituency will have been largely satisfied. The web will indeed be better off – no small thing! And it will be good enough. Good enough in the same way that HTTPS is good enough. The protocol is sufficiently extensible that new ciphers have been deployed without breaking older implementations, but the true weaknesses lie in the fundamentally flawed nature of the CA institution that it spawned: a social problem, one not readily susceptible to technical improvement. Only now that the weakness in the CA system have been exploited and publicized has there been much appetite for any innovation in that space whatsoever. DNSSec is only just now percolating up through the resolver to applications – how long before we can rely on a sound technical foundation for transport crypto such as the HIP protocol aims to provide? The shortcuts taken today will linger to haunt future generations.

Engineers solve real problems, affording us real, practical benefit. I get that. Please forgive me that I am sad that solving these problems one niche at a time means that we can't seem to pull together towards a general solution for a broader benefit. I don't want it to just work: I wish for the foundations to be sound.

Real issue is...

[blahplusplus]

... embedded links that activate scripts/contact other adservers, etc. There is so much junk embedded in modern web-pages that most users have no clue how bad their client is being raped of accumulating identifiable information.

Re:Real issue is...

[jeti]

Too true. Installing the Firefox NoScript extension has been an eye-opener for me.

remove that Adsense first?

Maybe Google could remove all the useless Google Adsense ads first because the main reason why pages load so slow is because of the million ad calls to Google?

Re:remove that Adsense first?

[symbolset]

You have to dig that deep for a dig at Google? That's pretty lame. Google can't do anything about how novice blogs include their ads.

Re:remove that Adsense first?

Yes, because before ads, there was no culture whatsoever and people didn't communicate. What was the point anyway? It's not like you could monetize it somehow...

Protip: in the real world, content precedes advertisements... strangely, even on the Internet... I know you're probably too young to remember, but there _was_ a time when the Internet had more content than ads. Waaaaay back.

Also, most things on the Internet are free, because most things in the Universe are free anyway and because... if you charged money for your blog... do you think people would bother even consider paying you? LOL

Enjoy your stupid capitalist utopia.

Re:remove that Adsense first?

[Pieroxy]

If you continue mixing everything in one big meta problem, you'll fail to see the big picture.

Fact: People need to eat. They also usually need a roof over their head.
Consequence: People need money.

As a result of this, most people are not willing to work for free, because it is usually their work that makes the ends meet.

Look at Wikipedia. Free of ads, but they come whining every other year for money. All in all, they do put ads on their site, buit it's ads for themselves.

And before ads were invented the web was mostly academics and porn. Ah yes, a few fan website that ware so full of crap it was barely useable.

Grossly Incorrect Summary

[zbobet2012]

By default, a web browser opens an individual connection for each and every page request, which can lead to tremendous inefficiencies

HTTP1.1 which is supported by everything newer than IE5 (at least) utilizes persistent connections. You can verify this yourself with Wireshark in seconds. SPDYs optimizations largely revolve around "pipelining", but without some of the issues that it causes.

Re:Grossly Incorrect Summary

[VortexCortex]

By default, a web browser opens an individual connection for each and every page request, which can lead to tremendous inefficiencies

... SPDYs optimizations largely revolve around "pipelining", but without some of the issues that it causes.

No no no... You're using the wrong definition of "pipelining". First you must realize the Internet is a Series of Tubes. The Series part is important because TCP is a Serial protocol. If any Tube in the Series cracks and data is lost, endpoints start spewing packets all over the place in alarm! SPDY's optimizations revolve around "pipelining" -- That is: Lining the Pipes to prevent such events from happening in the first place.

HTTP1.1 is OLD! The pipes built around that time are OLD too. The HTTP1.1 "pipelining" is starting to wear through after 17 years... Connecting the Tubes is expensive too; If a Header is compressed there's less chance of part being lost in a data leak when it flows through the tubes.

There is an underground movement to get rid of the whole ridiculous idea of Tubes. I mean, Why would you take something as permeable as a NET and build a Series of Tubes out of it?! OF COURSE YOU NEED PIPELINING if you want it to be efficient!

However, what if you didn't need a "pipe" what if you could get your information from the Sea of Data by Casting about the Web and sorting out the results on your end? You could simply keep trying until you were satisfied with the data you had. Even better if relevant data could be naturally organized -- swarm together -- in a sort of BitTorrent so you could get the data in the Net with less Casting... One could even take the center out -- Decentralize it -- to help prevent conflicts about which data came from what side. I mean: Who cares if someone wants to DownLoad a car so much that it's undrivable from all the weight? It doesn't make your car any less usable! Besides, the naysayers are all Hypocrites: They have to participate in the things they say are wrong just to even see into what we're doing -- You have to Peer to Peer!

Don't even get me started on Cloud Computing! Seriously... It's VaproWare!

Alternatives?

[Ostracus]

What about alternatives like UDT, and SCTP?

I before E...

[grcumb]

"[T]he SPDY (pronounced 'speedy') protocol ....

No WAY am I pronouncing it 'speedy'. I'm a callin' it 'spidey'. That way, I can build wearable network monitors which vibrate at high frequencies when the web server gets bogged down.

And then.... I'll be able to interrupt my boss in mid-sentence and say, "Hang on, my spidey sensors are tingling..."

Re:I before E...

[Surt]

"I better check my web servers."

Countermeasure for Nokia/RIM/O... speedup-proxies?

[q.kontinuum]

Several mobile phone companies and some browsers offer special proxies nowadays to speed up browser experience on mobile phone and to reduce data usage for customers by serving prerendered or otherwise optimized/reduced pages. This might severely reduce Googles ability to collect user data from these users on the visited web pages (unless the user is logged in to google+ or alike with his browser, which might be unlikely given that for social networks there are usually separate apps).

Is this now a step to reduce the need for these proxies in order to protect their own business?

Re:HTTP 2.0?

[Hadlock]

We have other protocols, like FTP for example, that handle things besides web pages. HTTP is a pretty wide open protocol and allows all sorts of things to be jammed in to it, which is why it's worked so well in the past.
 
Also, as they say, "if it ain't broke, don't fix it".

It'd be a faster still without all the redirects

Says it all. The connection setup isn't the problem, it's being bounced to 10 different sites other than the one you wanted to visit, half of which are overloaded at any given time.

Fix that instead Google and there's no need to mess with the standards anyway.

What above the layer below?

[Lisandro]

SPDY's goal is to reduce web page load times through the use of header compression, packet prioritization, and multiplexing (combining multiple requests into a single connection).

I'd like to see SCTP getting some love, which sadly enough seems unlikely if it hasn't happened so far. It's a very simple protocol mixing the good parts of both TCP and UDP, plus it supports multiplexing and priorization off the bat.

Re:What above the layer below?

[rdebath]

That's a really poor way of describing SCTP. Firstly the relationship between TCP and UDP is such that TCP could be built entirely ontop of UDP, the only reason it isn't physically is so that the port numbers for UDP and TCP are distinct. On the other side the best description of UDP is actually "Bare IP packets with port numbers".

SCTP is not that, it would probably be most accurate to describe it as being a protocol with multiple TCP streams in both directions within one connection. Because it's within a single connection a 'stream' can be very small (ie a little message) and still be efficient and because there are multiple streams messages don't have to wait for each other; though they can if you want. It is probably simpler that TCP, but only because TCP has had so much bolted on.

But you are absolutely correct, this would be a very good protocol for throwing a load of tiny requests at a web server and getting the results back as soon as they're ready. BUT, mixing it with SSL would not be very simple, I guess you'd have to do what OpenVPN does.

Adds bufferbloat and reduces VoIP sound quality

[haffy]

SPDY is a great example of someone thinking only of their own application.

By increasing the initial window size from 3 to 10 they add to the bufferbloat effect (at the microscopic level) and increase Jitter from tolerable 38 ms to intolerable 126 ms on a 1 Mbit/s ADSL line. This level of jitter severely affects VoIP sound quality. And for this calculation I have assumed that the web browser only uses one TCP connection to load the page; if it uses two TCP connections the Jitter may double.

But hey! What does any application developer care about other applications? They are only concerned about getting their own application sped up.

When you improve the performance of your application, you should think about how it degrades the performance of other applications. If someone recommended increasing the O/S priority level of the web browser to the maximum, so all your other applications slowed down to a halt while the web browser was running, you would probably object. The increased initial window size is a comparable recommendation, but at a network buffering level, so very few people understand its negative side effects.

We all want faster loading web pages, but we also want other applications to respond faster, and we also want perfect VoIP sound quality without the walkie talkie effect caused by high latency or jitter.

Re:Adds bufferbloat and reduces VoIP sound quality

[mnot]

Actually, Jim Gettys has called for the adoption of SPDY (alongside the wider deployment of HTTP pipelining) to help mitigate bufferbloat.

Re:Adds bufferbloat and reduces VoIP sound quality

[FireFury03]

By increasing the initial window size from 3 to 10 they add to the bufferbloat effect (at the microscopic level) and increase Jitter from tolerable 38 ms to intolerable 126 ms on a 1 Mbit/s ADSL line.

I can't really see how increasing the window size would increase jitter. Network bandwidth aside, the throughput of a TCP connection is a function of latency and window size. Increasing the window size simply increases the throughput on high-latency networks.

You're still limited to MTU-size packets (probably 1500 octets), and if you're using a priority queuing discipline this gives you a network jitter of about 12ms on a 1Mbps connection: (1500*8)/1000000 = 0.012 since the priority queue will insert the small high priority RTP packets between the large low priority packets.

When you improve the performance of your application, you should think about how it degrades the performance of other applications. If someone recommended increasing the O/S priority level of the web browser to the maximum, so all your other applications slowed down to a halt while the web browser was running, you would probably object. The increased initial window size is a comparable recommendation, but at a network buffering level, so very few people understand its negative side effects.

Increasing the window size is not comparable to increasing the priority of the traffic. I would agree with you if the application were setting the ToS flags(*) in an abusive way, but the window size just affects the maximum throughput for a connection given a specific latency connection. Given that latency isn't something generally very controllable, this can't even be regarded as an effective method of intentionally throttling throughput (shaping the traffic on the router would be more sensible here).

(* routers out on the internet won't generally pay attention to ToS flags, so setting them abusively wouldn't normally give you any advantage anyway. However, routers at the ends of low bandwidth links, such as ADSL, should be paying attention to ToS flags in order to prioritise latency-sensitive protocols. If you're not doing this and just relying on FIFO queuing then you're pretty much screwed already for VoIP unless you're using the connection for nothing else).

Re:Adds bufferbloat and reduces VoIP sound quality

[Phs2501]

You should have updated to IPv6, where is no such checksum in TCP.

I think you're misinformed. IPv6 has no IP header checksum, unlike IPv4. However, the higher-level protocol checksums are still there; in fact, UDP over IPv6 is required to include a valid checksum, unlike in IPv4 where it can optionally be 0x0000.

Re:Adds bufferbloat and reduces VoIP sound quality

[Lennie]

SPDY does not increase the initial window, Google, Microsoft and many others increased that on their server to get the content faster to you.

Within Google a completely different department I'm sure.

SPDY uses less connections a good thing to reduce bufferbloat.

Someone above already mentioned Jim Getty mentioned SPDY will reduce the effect of bufferbloat.

Re:Waiting for ad.doubleclick.net ...zzz...

[VortexCortex]

I have that option too, but I'm willing to allow Slashdot to make whatever meager income they can by my presence since they're kind enough to allow my positive (and negative) contributions.

The Model T wasn't Broken

[Niscenus]

HTTP's inception predates the scale at which the Internet is used today, and like IPv4, the failure to anticipate the shifts in use and data access within the Internet make it far less efficient than it could otherwise be. SPDY, along with many of the streaming protocols, identify more with the modern Internet practices than, "Get this page now," technique of HTTP.

I'm on the second tier of my ISP's access rate, and even though many pages should load in the theoretical second, they don't due to modern styling and plugin/include/addon calls. I honestly would have thought that what SPDY does would already have been more commonly implemented, and that data access in general would be moving to a peer/metapeer networking solution to save on demand of resources in general. Some of the assumptions of its design come out of the late-eighties and early-nineties anticipation of the large-first to small-second distribution common among universities, government installations and large commercial systems of the time, where maintaining a large lan with few nodes possessing Internet access in both directions.

HTTP1.1 is as not broken compared to HTTP2.0 as a protocol as XFree86 4.x isn't anymore broken than any of its successors (irregarding explicit bug fixes, as that's not applicable relative to a protocol...usually), but regardless of where you came down on the forks and licensing, you probably aren't running it on any *Nix under 5 years old.

Re:Waiting for ad.doubleclick.net ...zzz...

[FireFury03]

Great! But will it do anything to speed up pages that refuse to display until the advertisements do? Even Slashdot takes longer to display because of some third-party ad server.

XHTML largely fixed that by banning document.write(). Unfortunately the "industry" didn't like that and produced the enormous brain-fart known as HTML5, which went back to allowing all the crazy shit that XHTML had banned for a good reason.

Re:Countermeasure for Nokia/RIM/O... speedup-proxi

[q.kontinuum]

Opera (offering Opera Turbo), Nokia (http://www.developer.nokia.com/Develop/Series_40/Nokia_Browser_for_Series_40/) etc. are not the network providers, so your argument is moot. They neither save any bandwidth on their side by offering the proxy, quite the opposite, not do they just cache the traffic.

The IMPORTANT bit about SPDY

[YA_Python_dev]

I realize you guys are just kidding, but there's a very important and overlooked part of the SPDY protocol. Hopefully TPTB won't understand its implications before it's too late to stop SPDY adoption.

You see, the way I read the spec and the way it's currently implemented, SPDY requires every single connection to be encrypted. It's not optional.

Imagine that, a world where MITM attacks suddenly become much much harder, where your ISP doesn't inject ads in your search results, where your mobile provider cannot "help" you screwing up your HTTP connections with a transparent proxy, where the British government cannot censor a Wikipedia page, where even the small sites can be encrypted because web hosts save bandwidth money by offering this option to everyone.

Imagine a world where net neutrality becomes much harder to break because all big protocols are encrypted all (or at least most) of the time and the deep packet inspection shit that's used much more widely than people think just doesn't work anymore.

SSH, Freenet, Skype BitTorrent and other P2P protocols are already there. This is the chance to do it for HTTP.

Disclaimer: I speak only for myself and not anyone else. IANARE.

Re:The IMPORTANT bit about SPDY

[makomk]

Imagine a world where every time you set up a website you have to fork over money to a certificate provider in order for people to be able to access your sites, where the prices for certificates are sky-high once again because the CAs know that they've got everyone over a barrel, where governments use their influence to get their own CAs into every browser and go right on ahead MITMing everything in site by painting anyone that refuses as a supporter of child porn...

Re:The IMPORTANT bit about SPDY

[magamiako1]

Do you really, honestly, truly believe that the US Government needs its own CAs and can't simply ask Verisign/Symantec to hand over a valid CA for a domain they want?

Re:The IMPORTANT bit about SPDY

My god. We might have to self-sign our own certificates.

Re:The IMPORTANT bit about SPDY

[Yosho]

Do you really, honestly, truly believe that the US Government needs its own CAs and can't simply ask Verisign/Symantec to hand over a valid CA for a domain they want?

The USG doesn't want to use Verisign/Symantec's CAs. If it was using them, then it would be possible for Verisign/Symantec to sign something and make it look as though it was signed by the USG. That's why they need their own.

(believe it or not, the government does things with SSL other than impersonate web sites so that they can do MitM attacks on civilian communications)

Supported since Firefox 11

[Skuto]

Go to about:config and switch network.http.spdy.enabled.

Mozilla has been quite critical of some Google technologies (Dart, Native Client, ...) that it saw as not truly open and closing down the internet to be the GoogleWeb. SPDY got implemented though. So I guess it's a a keeper and might see wider adoption.

Re:HTTP 2.0?

[Pieroxy]

We have other protocols, like FTP for example, that handle things besides web pages. HTTP is a pretty wide open protocol and allows all sorts of things to be jammed in to it, which is why it's worked so well in the past.

Also, as they say, "if it ain't broke, don't fix it".

With all the NAT going around, FTP is becoming less and less useable.

The biggest pro for HTTP is it's universal support, not its openness.

As far as your last sentence is concerned, we'd still be fighting for a little fire if we followed it all along...

Although

[sakura+the+mc]

The speed benefits provided by this new protocol will rapidly be negated by the ability to cram more shit into each connection.

What about caching proxies & web filtering?

[mangobrain]

By choosing TLS as the underlying transport, inspecting traffic for debugging or monitoring purposes becomes nigh on impossible. It will only be possible to capture traffic at the application level, after decryption and decapsulation (which, depending on the nature of any given bug, may be too late), or if it originates from servers you own (i.e. the server's private key is available to you). SPDY proxies will become dumb pipes, unable to perform any sort of content caching, unless users are willing to accept that the proxy may perform MITM on their traffic. For such MITM to be feasible, users need to trust a CA certificate associated with the proxy, and rely on the proxy performing upstream certificate checks on their behalf, because the browser no longer has a single end-to-end TLS session with the origin server. In corporate and other "managed" environments, people often find this acceptable in moderation*, but I would be worried if this became the norm - it creates a mind-set whereby it's acceptable to breach users' privacy, and the more proxy vendors have incentive to implement the necessary (proprietary) code, the more scope there is for them to get it wrong, completely undermining security.

Not to mention that introducing a mux/demux layer in between the network traffic and the individual requests/responses greatly increases the complexity needed to implement a proxy compared to plain-old HTTP.

Losing the functionality of caching proxies would seem counter to Google's goal of speeding up the Web. Losing the ability to monitor and filter network traffic will greatly diminish the ability of schools, employers, public hotspot providers etc. to enforce acceptable usage policies, to the extent that some - especially employers - may simply resort to blocking web access outright.

IMHO, the behaviour of SPDY proxies needs to be tightly specified, if they are going to exist. Standardise MITM behaviour, so that users and admins are aware of the pros and cons. Make it mandatory that end users are warned when MITM is taking place. Perhaps introduce new extensions, such as the ability for the proxy to establish TLS with the browser using its own certificate, but transmit a copy of any origin server certificates corresponding to proxied requests, so that the browser isn't entirely at the proxy's mercy WRT certificate verification. Perhaps introduce the ability to multiplex requests to different domains on the same connection, something a browser can't do when talking directly to distinct origin servers.

Note that similar concerns apply to reverse proxies, used by website providers themselves to speed up their own infrastructure. It may seem desirable for both front-end caching and back-end servers to use SPDY, but establishing TLS sessions between two halves of the same infrastructure, over the LAN, will be detrimental to resource usage.

* Bear in mind that currently, MITM is only necessary for HTTPS sites, which means that there are vast swathes of in-the-clear HTTP traffic for which caching doesn't introduce any inherent security concerns. By making *everything* use TLS, MITM becomes a consideration if you want to perform *any* caching/filtering at all, not just caching/filtering of secure sites. If there is no longer any distinction between secure and insecure sites, how does even a responsible admin know where to draw the line?

Re:Tethering

[Ash-Fox]

Do you know any methods to improve tethering? I use my 3G phone as a WiFi hotspot. It seems that when the connection is idle for a while, it takes some time to kick it up to full speed.

Change your TCP/IP congestion algorithm to something like Compound TCP (CTCP).

This posting misquotes Mark Nottingham

[TwobyTwo]

This posting quotes an unreliable news report, and claims that IETF HTTP working group head Mark Nottingham, "called for it [SPDY] to be included in the HTTP 2.0 standard". Nonsense. It's easy enough to find the actual announcement from Mark which says, in part:

I've put together a charter proposal (see attached) that has us going to WGLC shortly (something that I want to see us do regardless), and starting work on HTTP/2.0. Note that it does NOT call out a starting point; rather, we'll start by asking for proposals, considering them and selecting one based upon the traditional IETF criteria of rough consensus and running code.

Indeed, the proposed formal charter for the new work that's included in Mark's note doesn't mention SPDY at all. I've been in meetings with Mark about this, and SPDY is no doubt at or near the top of the list in terms of interesting candidate technologies to look at, but it's incorrect to say that Mark is calling for its use in HTTP 2.0. At the very least, the Slashdot post on which this is a comment would do a much better service to the community if it linked and quoted Mark's actual announcement, rather than some hyped up misinterpretation from the press. All the conspiracy theorists should calm down a little while, and subscribe to the IETF working group mailing list if they really want to see how this plays out.

Re:No SNI

[asdf7890]

Given how long these processes take, by the time the standard is finalised both XP and Android 2 will be outside any promised support window so they should not be used as a reason to hamper this new version of the standard. If people are still using those clients by then they will (or should) have far greater worries than a few "invalid certificate" warnings. Heck, hopefully IPv6 support will be common place by then (while people saying it'll all hit the fan this year are being a bit premature IMO, I can't see IPv4 lasting until the endof XP's life) making the IPv4 based limitations irrelevant anyway.

Even if XP is still around and causing trouble, the only browsers affected are IE variants or similarly old hat code: recent (anything from the last two years or more IIRC) Firefox, Chrome and Opera versions support SNI even on XP as does Firefox on Android (I don't know about others like Opera Mobile).

Re:No SNI

[TheRaven64]

Interestingly enough, Windows XP and Android 2 also don't support HTTP 2.0, so they're largely irrelevant in this context...

Re:Parent is trolling

[grmoc]

As one of the creators of SPDY I can say: SPDY as specified today requires TLS and is only deployed using TLS.