HTTP 2.0 Will Be a Binary Protocol

earlzdotnet writes "A working copy of the HTTP 2.0 spec has been released. Unlike previous versions of the HTTP protocol, this version will be a binary format, for better or worse. However, this protocol is also completely optional: 'This document is an alternative to, but does not obsolete the HTTP/1.1 message format or protocol. HTTP's existing semantics remain unchanged.'"

Makes sense

[thetagger]

HTTP is the world's most popular protocol and it's bloated and slow to parse.

Re:Makes sense

[cheesybagel]

It might be bloated and slow. But it is also easily extendable and human readable.

Re:Makes sense

Wrong! .Its UDP. I sent a note to asking him to confirm this fact, but he never replied.

Re:Makes sense

[WaffleMonster]

Most popular protocol? What ever happened to TCP?

From looks of the draft it has been reimplemented within HTTP.

Re:Makes sense

[Progman3K]

It might be bloated and slow. But it is also easily extendable and human readable.

What's could be good if HUMANS were intended to read it.

Yeah, it's a good thing no humans work as programmers or ever debug this thing

Re:Makes sense

[steelfood]

You can also make binary blobs human readable. Just have an official spec on how to translate binary into English.

Re:Makes sense

[Progman3K]

Yes, but considering TCP is a core part of IP... what you did kind of falls flat.

Nope, that's like saying hamburgers are a core part of cows.

You make hambugers out of cows, you don't make cows out of hamburgers.

You make TCP out of IP, you don't make IP out of TCP.

Re:Makes sense

The amount of text that comes with HTTP is pretty inconsequential compared to the payload it's carrying.

Re:Makes sense

[Trepidity]

Not particularly bloated or slow to parse, especially on modern hardware. HTTP/2.0, which is basically a minorly tweaked version of Google SPDY, doesn't even claim speedups more than about 10%.

Re:Makes sense

[plover]

Knock-knock.
Who's there?
UDP packet.
UDP packet who?

Re:Makes sense

[h4rr4r]

Says someone who never has to debug a damn thing.

Re:Makes sense

[PhrostyMcByte]

It might be bloated and slow. But it is also easily extendable and human readable.

Human readable yes, extendable no. Well, it's not extendable in any meaningful way. Even though it looks like it on a quick look, if you read the spec you quickly realize there really is no generic structure to a message -- you cannot parse an HTTP request if you do not fully understand it. Even custom headers like the commonly used X-Foo-Whatever are impossible to parse or even simply ignore, so implementations just use an unspecified de-facto parsing and pray to the web gods that it works.

This makes HTTP parsers very complicated to write correctly and even moreso if you want to build a library for others to extend HTTP with. This isn't a text VS binary issue, but simply a design flaw. Hopefully HTTP 2.0 fixes this.

As they say, HTTP 1.1 isn't going anywhere -- this'll be a dual-stack web with 2.0 being used by new browsers and 1.1 still available for old browsers/people.

Re:Makes sense

[SuricouRaven]

*silence*

Re:Makes sense

[dgatwood]

I frequently get fairly close to the raw protocol, using curl, and have even been known to manually make HTTP requests in a telnet session on occasion. That said, I'm assuming a future version of curl would simply translate the headers and stuff into the historical format for human readability, making this sort of change fairly unimportant in the grand scheme of things.

Re:Makes sense

[ArcadeMan]

As they say, HTTP 1.1 isn't going anywhere -- this'll be a dual-stack web with 2.0 being used by new browsers and 1.1 still available for old browsers/people.

In Korea, HTTP 1.1 is for old people.

Re:Makes sense

[CadentOrange]

+1 If I had mod points. I've found the readability of HTTP crucial on numerous occasions.

Re:Makes sense

[Alomex]

Human readable is a bug, not a feature.

[Citation needed]

for no real gain.

Right, because making it easier to debug is not a real gain, but an imaginary one, and also bandwidth being so expensive one can barely afford the extra 1K of headers from HTML. I mean nowadays sending that can take as long as 1 millisecond over a slow connection. Who has that kind of time?

Re:Makes sense

[dgatwood]

And then there's the joke one of my coworkers wrote on his whiteboard: "I know a joke about UDP, but you might not get it."

Re:Makes sense

[denbesten]

Human readable is a bug...

Says someone who never has to debug a damn thing.

Amen, Ditto, etc.
If only there were some way to both make it "human readable" and to somehow reduce the bandwidth.

Re:Makes sense

[Em+Adespoton]

Knock-knock.
Who's there?
UDP packet.
UDP packet who?

Knock-knock.
UDP Packet
Who's There? ....

Re:Makes sense

[omnichad]

Except cookies. And even worse - ViewState variables posted on badly coded .NET applications. Some of those are near the hundred kilobyte range.

Re:Makes sense

[Joce640k]

Ditto.

The HTTP header is miniscule compared to the HTML/images on the web page. Making it binary is a Stupid Fucking Idea.

Re:Makes sense

[Joce640k]

It was much less bloated before Javascript and CSS started throwing up in every corner of every webpage everywhere.

That's HTML, not HTTP.

Re:Makes sense

[phantomfive]

HTTP is the world's most popular protocol and it's bloated and slow to parse.

HTTP is a simple protocol, simple enough to write a parser in an afternoon. You're probably confusing it with HTML, which is a different subject altogether.

Re:Makes sense

[Score+Whore]

What?

First, compression is semantically identical to the uncompressed data. Anything "leaked" by compression would be "leaked" by the uncompressed data.

Second, compression removes entropy making it more difficult to predict the cleartext. Which is why it's common to compress data before encryption (assuming your application is amenable, full disk encryption would be a case where compression would be awkward.)

Re:Makes sense

[jeremyp]

The mechanism for spanning multiple lines is starting continuation lines with white space. If you read a line feed afollowed by a non white space character, you know the current header is over and the next one is starting.

Re:Makes sense

What makes you think that any of that would be changed by switching to a binary protocol for the headers? Everything you mentioned is payload, effectively. It's bad web design, not bad protocol design, to ping-pong big blobs of data.

Re:Makes sense

[swalve]

I agree that it's a stupid idea, but there is almost nothing about text that makes it special. It's just a particular data encoding scheme. If the HTTP/2.0 standard is actually a standard, then it will be pretty easy to make an app or a plugin that translates it.

Unfortunately, the days of computing being simple are over.

Re:Makes sense

[rsborg]

I frequently get fairly close to the raw protocol, using curl, and have even been known to manually make HTTP requests in a telnet session on occasion. That said, I'm assuming a future version of curl would simply translate the headers and stuff into the historical format for human readability, making this sort of change fairly unimportant in the grand scheme of things.

What happens when a) curl(v. next)'s HTTP2 binary parser is broken b) binary request or response is corrupted c) binary response from server is not corrupted, but non-standard?

In all of these cases, a quick examination of an HTTP1.x transmission usually leads to a rapid determination of the cause of the error. In HTTP2, there could be significant time/effort wasted unless the investigating person/app happens to understand all the details and nuances of an unexpected syntax.

Furthermore, how much more efficient would HTTP2 binary be over pipelined, gzip-9 content? If headers are that big of an overhad, why not just a standard compression on headers?

Re:Makes sense

[redalien]

https://en.wikipedia.org/wiki/CRIME_(security_exploit)

Re:Makes sense

[kh31d4r]

If this will remove badly coded .net applications I'm all for it!

Re:Makes sense

[Bengie]

10% faster usually means about 10% less power for the part of the system that is now 10% faster. A large datacenter will save lots of money. Maybe not a large eprcentage of money, but probably more than 1 person's salary.

Re: Makes sense

[Kr3m3Puff]

Yeah, let's hinder the 99.999% scenario for the benefit of the 0.001% one.

Re:Makes sense

[Darinbob]

Human readable is irrelevant. Humans do not read this, computers do. Maybe I'm old or something, but I remember when programmers know how to write programs to convert from binary to text, or even were able to read octal or hex directly, and so binary formats were no hindrance at all. Now though, even private internal saved state never seen by a human is done in XML for bizarre reasons.

(Probably the programmer knows how to use the XML library and so when your only tool is a pneumatic jackhammer then every problem looks like a sidewalk.)

Re:Makes sense

[lgw]

Says someone who never has to debug a damn thing.

I prefer to use tools for debugging. But if I'm stuck looking at raw binary, it's actually pretty easy to debug raw binary if the protocol was designed with that in mind. I spent 5 years debugging mainframe assembly programs and system dumps with no real tools - it just isn't that hard when the language or protocol was designed with that in mind!

Human-debuggable does not require a text format.

But even if it did: the purpose of a standard should be to be the most efficient for the end user, not for the developer. Developers can create tools as needed. End users are stuck with bloat.

Re: Makes sense

[multimediavt]

Yeah, let's hinder the 99.999% scenario for the benefit of the 0.001% one.

ROFLMFAO...Have you LOOKED at society lately?

Re: Makes sense

[Kidbro]

These seat belts and air bags are pointless. How often do I crash anyway?

Re:Makes sense

[CadentOrange]

You don't always have an app handy, but you'll almost certainly have a text editor of some sort.

Re:Makes sense

[turgid]

All programmers work for Microsoft and they are the guardians of the Secret Knowledge of the Diabolical Black Art of Making Computers do Stuff by Programming. They produce point-and-click tools for everyone to use their computers. If you are not part of The Sect you have no business engaging in the Diabolical Black Act and you will be hunted down and made to renounce any Secret Knowledge. You will be instructed in the use of the point-and-click tools and made to see that this is the True Path.

Re:Makes sense

What happens when a) curl(v. next)'s HTTP2 binary parser is broken b) binary request or response is corrupted c) binary response from server is not corrupted, but non-standard?

You fix the fucking bug or use a protocol analyzer. Let's not make this protocol as shit as the old one just because one or two chucklefucks refuse to run tshark. Jesus christ.

Re:Makes sense

[KingMotley]

Everything about your post is wrong. Cookies are transmitted with each request. ASP.NET Webform's viewstate is transmitted to and from each page, if enabled. Although HTTP 2.0 doesn't solve either of these problems, and the text nature of most HTTP requests has very little to do with the speed of the protocol. Changing to a binary protocol will likely shave off TENS of bytes on each request. You won't notice, even with a timer accurate to the millisecond.

Re:Makes sense

[LordLimecat]

You know what else is terrible? I hear that SQL stores its data in a binary (rather than ASCII) format too! And that humans have to work with them!

One day Im sure that someone will come up with a way of approaching this problem.

Re:Makes sense

No, the parent is right, and this weakness has been demonstrated in recent HTTPS attacks like BEAST and CRIME.

It works like this. You visit a site that has malicious JavaScript which sends a HTTPS request to some site (like your bank). This request will include whatever known plain-text that the JavaScript wants to send, *plus* any cookies you have stored for the target site, possibly including authentication cookies. If the plain text happens to match part of that authentication cookie, then the compressed headers will be smaller than if they if they don't match. If the attacker can monitor this encrypted traffic and see the sizes of the packets, then they can systematically select the known plaintext to slowly learn the value of the authentication cookie.

This can be done today in about half an hour. And the attack setup is feasible - consider a public WiFi access point that requires you to keep a frame open in order to use their WiFi. This gives them both the MITM and JavaScript access needed to perform this attack.

Sorry for posting as AC - slashdot logged me out and I have a meeting in 5 minutes.

Re:Makes sense

[omnichad]

They are stored locally in order to be transmitted with every request. Just pulled up the debug window here in Chrome. My HTTP request to load and view this page shows the following headers: Accept, Accept-Encoding, Accept-Language, Cache-Control, Connection, Cookie, Host, and User Agent.

Cookies are how your computer says to the server that you're logged into the site. How can the server verify that you're the same user and not just another computer behind the same external IP address without you sending the cookie?

The Cookie header contains ALL of the cookies stored for the slashdot.org domain. Total size of the Headers in the request was about 1.3KB. More than half - 0.9KB of that was the cookies.

Re:Makes sense

[LordLimecat]

Has the readability of TCP flags ever been a huge problem for anyone? Or have they simply used the bazillion TCP parsing tools out there which do all that heavy lifting?

Do you read the binary bits off of your harddrive, and handle encoding and endianness in your head, or do you use tools that translate from binary to ascii?

Why is it necessary for the binary bits to be arranged in ASCII format so that you can read them, rather than having a header-parsing tool that translates them to ASCII format?

Re:Makes sense

You can write a simple HTTP/1.0 parser, maybe. Try implementing HTTP/1.1 Pipelining some time.

Also, most HTTP parsers don't obey MIME rules when parsing structured headers. Regular expressions are insufficient. The vast majority of HTTP libraries don't fully support the specification, even at the 1.0 level. But most don't notice because you never see those complex constructs, except perhaps from an attacker trying to get around a filter--where on implementation perceives X and the other Y.

I've written an HTTP+RTSP+RTP non-blocking, re-entrant, restartable (no callbacks, which makes application composition easier) C library for streaming media. Libraries like curl just don't cut it for anything serious.

If your idea of implementing something relies on using regular expressions for parsing, I can guarantee you that you're not properly implementing the specification. I don't know of any useful specification, save maybe SPF (which has a broken synax which relies on NFA backtracking behavior), that doesn't involve grammar constructs beyond the capabilities of regular expression.

Re:Makes sense

[Chelloveck]

Binary vs. text doesn't make any real difference for debugging. Ethernet frames are binary, IP is binary, TCP is binary. We cope just fine. It may be more difficult to do a quick-and-dirty "echo 'GET / HTTP/2.0' | nc localhost 80", but so what? You can still use HTTP/1.1 or even HTTP/1.0 for that, and you're going to haul out the packet analyzer for any serious debugging anyway.

What I really don't like is that they're multiplexing data over a single TCP connection. I understand why they're doing it, but it seems like re-inventing the wheel. Congestion control is tricky to get right so I see HTTP/2.1 and HTTP/2.2 coming out hot on the heels of HTTP/2.0 as they iron out problems that have already been solved elsewhere.

Re:Makes sense

[grmoc]

So, you're saying that programmers read the SSL bytes directly and can interpret them?
That is impressive :)

Re:Makes sense

[Timmmm]

Compression of a verbose text-based format is never as good as having a compact binary representation in the first place. It's slower, harder to use and usually bigger anyway because compression algorithms are not magic.

There's a reason modern web APIs use JSON, protobufs or thrift instead of gzipped XML.

Re:Makes sense

[maxwell+demon]

I hear that SQL stores its data in a binary (rather than ASCII) format too!

Then you heard wrong. SQL does not store anything. Databases store data. SQL is just a language to access that data. And SQL databases (that is, databases which support the SQL language) store the data however they see fit. I'd not be surprised if there was an SQL database which stored its data in text.

Re:Makes sense

[bloodhawk]

I debug code every day, can't say the last time I read machine code though. Just because it is utilizing binary doesn't mean it has to be read that way, hell even my network tools include a raft of utilities to ensure I don't have to remember and understand every bit I see on the wire. It doesn't make sense for a computer to computer protocol to be bloated and slow just so someone can read it directly if they need to.

Re:Makes sense

[makapuf]

SELECT * FROM User GROUP BY Clue;

    Joke
+- - - - - - - +
    Woosh

And grr no they're not junk characters, you junk comment filter yourself. Please be damned to your 0xffff generation you filthy random bag of bits. What do you want me to do ? Type random sentences in the comment box ? That's what you want ? yes ? because I can definitely do that. Hey, I said I entered random sentences ! now accept my post!

Re:Makes sense

[cartman]

I disagree. I'm an old enough programmer (in my 40s), I started my career working with proprietary binary formats, and I remember the good reasons why binary formats were abandoned. Where I work, the older someone is, the less likely they are to favor binary formats for structured data (this argument has come up a lot recently).

I'll repeat one or two of the arguments in favor of not using proprietary binary formats.

If you wish to save space, conserve bandwidth, etc, then binary formats are not a good way of accomplishing that. The best way of saving space and conserving bandwidth is to use compression, not a custom binary format! Binary formats are still very large compared to compressed xml, because binary formats still have uncompressed strings, ints with leading zeroes, repeating ints, and so on. If you wish to save space or conserve bandwidth, then you ought to use compression.

If you use compression, though, then using a binary format also, gains you nothing. Binary formats do not compress down any further than human-readable formats that encode the same information. You won't gain even a few extra bytes on average by using a binary format before compressing. It gains nothing to use a custom binary format if you compress, which you should do if you're concerned about space or bandwidth.

Of course, compressed formats are binary formats. However, the compression formats you will use, are extremely common, are easily identified from a text identifier at the beginning of the file, and have widespread decompressors available on almost all platforms. Gzip, Bzip2, and zip are installed by default on the macbook pro I got from work. They're almost everywhere. That is not the case for a custom binary format which you create. Also, compression can be turned on and off. If you wish to sniff packets for debugging, you can turn compression off for awhile.

Here's a different way of putting it. You can think of common compression algorithms (such as bzip2) as mechanisms for converting your files into the most compact binary representation available with no programming effort from you. It does not help those algorithms if you also try to do binary encoding yourself beforehand.

There are a few weird exceptions where it's best to use binary formats. There are small embedded devices which lack the hardware to perform compression. Also, http/2.0 might be an exception, because the data transmitted is less than 100 bytes usually, so adaptive compression wouldn't work well, and it wouldn't be possible to compress across http requests because Http is (in theory) a stateless protocol.

Now though, even private internal saved state never seen by a human is done in XML for bizarre reasons.

There are reasons other than human-readability to use XML. Using xml means you gain an ecosystem of tools: all kinds of parsers, generators, code generators, validators, editors, pretty-printers in your IDE, network packet sniffers that can parse and pretty-print it, etc, on a wide variety of platforms. You lose all that if you roll your own binary format, for a gain of nothing if you compress the data in production.

Also, private internal state is seen by a human on rare occasion. What happens if parsing the file fails? Someone will need to look at it.

Binary protocol.. and what else?

It's nice to have a link to the draft. But couldn't we have just a little more "what's new" than it's binary? This is slashdot... Filled with highly techincal people. At least a rundown of the proposed changes would be very helpful in a discussion. The fact that they're proposing a binary protocol doesn't really matter to anyone besides anyone who wants to telnet to a port and read the protocol directly.

Does it improve coders?

[Freshly+Exhumed]

Can't wait to use the new 046102 047111 005113 tag!

Re:Does it improve coders?

[Tailhook]

Whatever problems you imagine are already being suffered in the form of SPDY. HTTP/2.0 emerged from SPDY and SPDY is supported by popular clients including Chrome and Firefox which handle traffic from Google, Twitter and Facebook, all of whom are serving SPDY today.

Wireshark has been picking apart SPDY for a couple years now. Developers see decomposed HTTP traffic in their browser consoles or HTTP APIs with little awareness of SPDY, so they rarely care.

Bandwidth costs money. Those rare instances when someone has to bench-check an HTTP transaction using a raw TCP stream have a really low priority.

Re:Does it improve coders?

[Lispy]

It's posts like that, that make me feel like an utterly completely useless techguy. I know nothing about the modern web and I don't even know it.

Re:Worth the tradeoff..

[bluefoxlucid]

HTTP already does that with pipelining. One connection, many files, optional compression on the body. The header is tiny.

It's really about multiplexing

[Animats]

The big change is allowing multiplexing in one stream. It's a lot like how Flash multiplexes streams.

Re:It's really about multiplexing

[Trepidity]

It reads almost like they reimplemented all of TCP inside of HTTP, complete with stream set-up and teardown, queuing, congestion control, etc. Why not just use... TCP to manage multiple streams?

Re:It's really about multiplexing

You need something better to manage the streams.
What would happen if the streams crossed?

Re:It's really about multiplexing

[kimvette]

> What would happen if the streams crossed?

Try to imagine all life as you know it stopping instantaneously and every molecule in your body exploding at the speed of light.

Re:It's really about multiplexing

[FireFury03]

It reads almost like they reimplemented all of TCP inside of HTTP, complete with stream set-up and teardown, queuing, congestion control, etc. Why not just use... TCP to manage multiple streams?

They're reimplementing SCTP inside TCP. Probably because they know there isn't a hope in hell of convincing Microsoft to implement a protocol that practically every other OS has supported for years...

Re:Worth the tradeoff..

[lgw]

Makes it harder to troubleshoot by using telnet to send basic HTTP commands

Since we're using a tool in the first place, it's just as easy to use a tool that understands the binary format. Back before open source toolchains had really caught on as a concept, human readable formats were a big plus, because proprietary tools could be hard to come by. Not really a concern these days, as long as the binary format is unencumbered.

Re:Binary protocol.. and what else?

[gl4ss]

It's nice to have a link to the draft. But couldn't we have just a little more "what's new" than it's binary? This is slashdot... Filled with highly techincal people. At least a rundown of the proposed changes would be very helpful in a discussion. The fact that they're proposing a binary protocol doesn't really matter to anyone besides anyone who wants to telnet to a port and read the protocol directly.

from quick glance, multiple transfers and communications channels("streams" in the drafts lingo) can be put through the single connection, cutting tcp connection negotiations.

Re:SPDY?

[Shimbo]

Draft 0 was SPDY. It's usually the way that standards evolve from one proposal; cut and shut standards don't often work out.

THIS IS A DRAFT, NOT HTTP 2.0

This is FAR from a done deal. The binary/ASCII question is being hotly debated.

take me back to

[mjwalshe]

the joys of debugging x.400 and reading a x.409 dump *NOT*

Why is it that news Internet standards seem to want to go down the route that the OSI did -

New TCP

[qbast]

HTTP/2.0 defines stream multiplexing, framing, stream control, prioritizing - pretty much replicating TCP. What is the point of putting TCP-like protocol on top of TCP ?

Re:Worth the tradeoff..

[plover]

I know! We'll call this mythical virtual machine something catchy, like "Flash".

Re:Worth the tradeoff..

[belphegore]

...unless you're on an embedded platform for which you don't have a compiler, and maybe busybox might build in this fancy new binary HTTP client tool in a few decades, but it'll be another few decades after that before manufacturers enable it and ship it.

What a clustferfuck

[l0ungeb0y]

Seems it's going binary to have EVERYTHING be a stream, with frame based communications, different types of frames denoting different types of data and your "web app" responsible for detecting and handling these different frames. Now I get that there's a lot of demand for something more than Web Socket, and I know that non-Adobe video streaming such as HLS are pathetic, but this strikes me as terrible.

Really, why recraft HTTP instead of recrafting browsers? Why not get Web Socket nailed down? Is it really that hard for Google and Apple to compete with Adobe that instead of creating their own Streaming Media Services they need HTTP2.0 to force every server to be a streaming media server?

Adobe's been sending live streams from user devices to internet services and binary based data communication via RTMP for several years, but HTML5 has yet to deliver on the bandied about "Device API" or whatever it's called this week even though HTML5 pundits have been bashing on Flash for years.

So if Adobe is really that bad and Flash sucks that much, why are we re-inventing HTTP to do what Flash has been doing for years?
Why can't these players like Apple and Google do this with their web browsers, or is it because none of these players really wants to work together because no one really trusts each other?

At the end of the day, we all know it's all just one big clusterfuck of companies trying to get in on the market Adobe has with video and the only way to make this happen in a cross-platform way is to make it the new HTTP standard. So instead of a simple text based protocol, we will now be saddled with streaming services that really aren't suited to the relatively static text content that comprises the vast majority of web content.

But who knows, maybe I'm totally wrong and we really do need every web page delivered over a binary stream in a format not too different from what we see with video.

Re:Can someone describe in human terms

[Intropy]

Think of it like a car, but instead of wheels, frame and engine, it uses binary.

Re:Port multiplier

[tepples]

With TCP, you need a separate port number for each service. For example, a Doom server runs on port 666, and an RDP server runs on port 3389. With Web Sockets, you can put all services behind one port and give each a separate path. For example, ws://example.com/doom lets a client open a Doom session, and ws://example.com/rdp lets a client open an RDP session. The advantage of using a path instead of a port number is that it can host a far larger number of services. For example, two users of a server could run game servers on ws://example.com/~WaffleMonster/doom and ws://example.com/~tepples/doom.

Re:Worth the tradeoff..

[organgtool]

Since we're using a tool in the first place, it's just as easy to use a tool that understands the binary format.

Let's say that you use a test client to send commands to your custom server interface and there's a bug. Now you have to spend extra time to discover if the bug is in the test client or in your custom server.

Back before open source toolchains had really caught on as a concept, human readable formats were a big plus, because proprietary tools could be hard to come by. Not really a concern these days, as long as the binary format is unencumbered.

You have it backwards. Before open source caught on, binary formats were all the rage. They were proprietary and they were very prone to corruption. Once a document became corrupted, you were at the mercy of the developers to come up with a tool that could reverse the damage. When open source caught on, it pushed hard for using XML as the format for storing and transmitting information. Data corruption is much easier to spot with clear text and can even be easily fixed compared to binary data. In this respect, HTTP 2.0 is a complete step backwards.

Re:Can someone describe in human terms

[omnichad]

The payloads are already often gzipped - but it's one connection per one file most of the time. If you need images, CSS, Javascript, more tiny images, then those are all separate HTTP connections and on some servers, they are serially requested over one connection. Combine it into one connection, and you can parallelize the download process into one connection, prioritize HTML over resources, and only send cookies once instead of once per file.

Why Binary?

[ArhcAngel]

Why does it have to be Binary?

That's so twentieth century.

We should be using a Hexadecimal format!

Hyper TEXT

[Jeremiah+Cornelius]

What part of the term "HyperTEXT" did the working group fail to understand?

Really, outside of snooping/privacy discoveries, this is the SINGLE WORST piece of news I have seen in 15 + years on Slashdot. We could see this coming with the push for DRM in the HTTP spec. Here we watch the other shoe drop.

"They" don't like this web. They are entrenched media and information companies, and the elite financial and political powers that rely on framing/controlling public information - while collecting rents for doing so.

You think that your issues with security and control of your own platform are bad now? Wait til your browser is rejected by sites you need to do business with - because you won't parse HTML/HTTP 2.0. Linking this with crap like Intel TPM/TXT and you are well into Orwell Telescreen territory.

"Optional"? Five years from now, we'll all see if you can get your driver's license, pay your phone bill or shop at Amazon without this one...

Re:Hyper TEXT

[badboy_tw2002]

Holy moly how does your knee taste? I asked because that was a mighty jerk it just gave means you must be tasting skin.

What DRM can you put in a binary protocol that you can't put in a text protocol. See those letters? Expressed in octets! Just because its not characters that form a language as we know it doesn't mean its not parsable as a language.

Apologies if you were just doing some honest trolling.

Re:Hyper TEXT

[nbsr]

I agree with you that it is technically possible to define a text format that is more obfuscated than the binary one. Yet, it almost never happens.

Text formats are designed to be open and humanly readable (that's why they are *text* formats). This encourages writing multiple implementations of parsers and formatters, often partial or ad-hoc ones (perl one-liners etc). At some point the critical mass is reached and no one, not even the original author, can fiddle with the format, effectively preventing any embrace, extend, extinguish efforts.

Binary generally do not generally reach this level of standardization. On purpose - people want to control the format and the handful of its implementations. There are some exceptions, like TCP or IPv4, (which BTW proves your point that a binary format *can* be open) but they are considered a failure in terms of extensibility specifically because they escaped the control.

Finally, in case of HTTP there is exactly *zero* benefit from switching to binary representation. Bandwidth utilization is negligible and has never been smaller, parsing has to be robust to errors for security reasons so you cannot save much processing power either. These things were important in early 1990s (yet we chose to communicate in plain text anyway) but not now. The only place where HTTP could be improved is latency as it scales slower than network bandwidth but that has nothing to do with the format.

Re:Hyper TEXT

[WillKemp]

What part of the term "HyperTEXT" did the working group fail to understand?

HyperText Transfer Protocol = a protocol for transferring hypertext. The protocol is not the hypertext - documents marked up with HyperText Markup Language are the hypertext. The protocol is just used for transferring them.

Rationale

[hebcal]

The rationale for http-2.0 is available in the http-bis charter. Quoting the spec:...

As part of the HTTP/2.0 work, the following issues are explicitly called out for consideration:

• * A negotiation mechanism that is capable of not only choosing between HTTP/1.x and HTTP/2.x, but also for bindings of HTTP URLs to other transports (for example).
• * Header compression (which may encompass header encoding or tokenisation)
• * Server push (which may encompass pull or other techniques)

It is expected that HTTP/2.0 will:

• * Substantially and measurably improve end-user perceived latency in most cases, over HTTP/1.1 using TCP.
• * Address the "head of line blocking" problem in HTTP.
• * Not require multiple connections to a server to enable parallelism, thus improving its use of TCP, especially regarding congestion control.
• * Retain the semantics of HTTP/1.1, leveraging existing documentation (see above), including (but not limited to) HTTP methods, status codes, URIs, and where appropriate, header fields.
• * Clearly define how HTTP/2.0 interacts with HTTP/1.x, especially in intermediaries (both 2->1 and 1->2).
• * Clearly identify any new extensibility points and policy for their appropriate use.

Focus on what matters

[mstefanro]

Why won't they focus on what really matters? HTTP is still missing sane authentication techniques. Almost all websites require users to log in, so it should be a priority that a log in mechanism be supported in HTTP as opposed to being the responsibility of every web developer individually (don't you dare mention HTTP Basic Authentication). Relying on cookies alone to provide authentication is a joke. Not all websites afford to buy certificates or the performance penalty of HTTPS and security over HTTP is practically non-existent.

The HTTP protocol is very primitive and it has not evolved on par with the evolution of cryptography and security. A lot better privacy, confidentiality, authentication can be obtained with very little cost. Because most websites allow you to log in, the server and the client share a common piece of information that a third party does not, namely the client's password (or some digest of that). Because of this shared information, it should be far easier to provide security over HTTP (at least for existing users). I find it laughable that we still rely on a piece of fixed string sent as plain-text (the session cookie) to identify ourselves. Far better mechanisms exist (besides the expensive HTTPS) to guarantee some security, and it should not be the responsibility of the web developer to implement these mechanisms.

At the very least, HTTP 2.0 should support password-authenticated key agreement and client authentication using certificates.

While signing up can still be problematic in terms of security, logging in need not be. There's a huge difference between being exposed once and being exposed every time. If there was no Eve to monitor your registration on the website, then there should be no Eve that can harm you any longer. You have already managed to share some secret information with the server, there is no reason to expose yourself every time you log in by sending your password in plain text and then sending a session in plaintext every time you make a request. That is, a session which can be used by anyone.

While it may be acceptable for HTTP1.1 to not address such security concerns, I would find it disturbing for HTTP2.0 not to address them either.
To get an intuitive idea on how easy it can be to have "safer proofs" that you are indeed logged in, consider the following scenario: you have registered to the website without an attacker interfering; you would like to log-in, so you perform an EKE with the server and you now have a shared secret; every time you send a request to that website, you send some cookie _authenticated = sha2(shared_key || incremental_request_number). Obviously, even if Eve sees that cookie, it cannot authenticate itself in the next request, because it does not know the shared_key and thus cannot compute the "next hash".
This is just an example proof-of-concept technique to get an idea on how much better we can do. Many other cheap techniques can be employed. This one has the overhead of only one hash computation.

Given that HTTP is a tremendously used protocol, it does make sense to make it as space-efficient as possible, being responsible for a large portion of the bandwidth. I do believe it matters on a large scale. However, given the arguments above, this should not be their priority.

Sing it with me

[justthinkit]

Embrace...Extend...Extinguish.

Re-inventing the wheel, with a flat tire

[davecb]

Unix, when it was new, was radical in that everything was in ordinary ascii text files. Everyone else "knew" that you had to work in binary, have binary config databases, binary file systems with dozens of record type and so on. With each binary format you had to provide a binary editor and/or debugger. If something broke, you needed a high priest of that particular religion just to debug it, much less fix it.

Note how many Unixes you see for each machine running GCOS or PRIMOS. Of all the machines of the day that still exist, note that most z/OS files are simple EBCDIC. Over time, that square wheel quietly went away.

When the PC came along, application designers once again started doing everything in binary, plus the occasional DOS text file. If something broke, you needed to go back to the vendor, because programs didn't come with binary editors. Or you could get a high priest of a particular order to take it apart in a debugger.

And, just to add injury to insult, a 64-bit binary floating point zero is four times the length of an ascii zero followed by a space or newline. Spreadsheet files in binary were ~ 4 times larger that the ones in DOS text my company used (;-)) Turns out spreadsheet files are mostly empty, or mostly contain zeros.

Over time, lots of config files and data files became ascii or UTF-8, and a huge number fo data files became html or xml text files. And that square wheel went away.

Let a hypertext file be a sequence of bytes, separated by newline characters. Let the text be a sequence of bytes, optionally using multiple bytes per character, as in UTF-8.

Verily I say unto you, let it be simple, lest it be stupid. Round wheels are better than square, or ones that are just flat on one side

--dave

Re:telnet

[Asgard]

Exactly. It is useful to be able to demonstrate that a given request/response occurs with minimal interference. Otherwise there is always questions as to whether FireFox or Curl is sending a request 'differently' somehow; being able to show that a given behavior is reproducible with a request issued over least-common-denominator telnet is inarguable.

Additionally, telnet is nearly ubiquitous while protocol analyzers are much harder to find, plus are often forbidden on desktops in large corporate environments as a security issue either due to their sniffing capability or for innate vulnerabilities.