Slashdot Mirror

← Back to Stories (view on slashdot.org)

HTTP/2 - the IETF Is Phoning It In

Posted by samzenpus on from the natives-getting-restless dept.

An anonymous reader writes HTTP/2 is back in the spotlight again. After drawing significant ire over a proposal for officially sanctioned snooping, the IETF is drawing criticism for plowing ahead with its plans for HTTP/2 on an unrealistically short schedule and with an insufficiently clear charter. A few days ago the IETF announced Last Call for comments on the HTTP/2 protocol.

Poul-Henning Kamp writes, "Some will expect a major update to the world's most popular protocol to be a technical masterpiece and textbook example for future students of protocol design. Some will expect that a protocol designed during the Snowden revelations will improve their privacy. Others will more cynically suspect the opposite. There may be a general assumption of 'faster.' Many will probably also assume it is 'greener.' And some of us are jaded enough to see the "2.0" and mutter 'Uh-oh, Second Systems Syndrome.' The cheat sheet answers are: no, no, probably not, maybe, no and yes."

"Given this rather mediocre grade-sheet, you may be wondering why HTTP/2.0 is even being considered as a standard in the first place. The Answer is Politics. Google came up with the SPDY protocol, and since they have their own browser, they could play around as they choose to, optimizing the protocol for their particular needs. SPDY was a very good prototype which showed clearly that there was potential for improvement in a new version of the HTTP protocol. Kudos to Google for that. But SPDY also started to smell a lot like a 'walled garden'."

"The IETF, obviously fearing irrelevance, hastily 'discovered' that the HTTP/1.1 protocol needed an update, and tasked a working group with preparing it on an unrealistically short schedule. This ruled out any basis for the new HTTP/2.0 other than the SPDY protocol. With only the most hideous of SPDY's warts removed, and all other attempts at improvement rejected as 'not in scope,' 'too late,' or 'no consensus,' the IETF can now claim relevance and victory by conceding practically every principle ever held dear in return for the privilege of rubber-stamping Google's initiative."

38 of 161 comments (clear)

  1. Shrug by Anonymous Coward · · Score: 2

    If the protocol sucks, it'll go mostly unadopted.

    See also: xhtml and arguably ipv6

    1. Re:Shrug by Anrego · · Score: 2

      What made xhtml suck. As a non-web guy who just occasionally dabbles, xhtml seemed like a good idea. Unclosed tags in html always looked ugly, and as far as I can tell, that's really the most notable difference between xhtml and html.

    2. Re:Shrug by Anonymous Coward · · Score: 2, Insightful

      The only "bad" thing about XHTML is that it forced web developers to do things properly.

      Web developers are generally total amateurs, or the worst of the worst of the so-called "professionals".

      So expecting them to put even the slightest about of care into their work is just too much. That includes properly closing markup tags.

      XHTML was admired and used very effectively by the very small proportion of real software developers who get stuck dealing with web development now and then.

      But a small number of people can't compete with the overwhelmingly huge majority of incompetents, and their half-assed HTML5 idiocy.

    3. Re:Shrug by mwvdlee · · Score: 3, Insightful

      IPv6 doesn't suck. We're just not feeling the pain of IPv4 enough to care.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    4. Re:Shrug by mwvdlee · · Score: 3, Insightful

      The problem with XHTML is that it would never be able to stand on it's own.
      Even if all web developers started creating perfect XHTML code, we'd still have a huge legacy that would require all the browser kludges XHTML was supposed to fix.
      XHTML is best described as such: http://xkcd.com/927/

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    5. Re:Shrug by omnichad · · Score: 5, Interesting

      As a web guy, I still use primarily XHTML. I may call it HTML5 when I need to use an HTML5 tag, but for a true developer/designer who doesn't use a GUI, properly nesting tags is a must. And with HTML5 being so loose, most XHTML documents are also valid HTML5 documents.

      Also - being able to load another web site's XML-compliant DOM to scrape data (for personal use)? Priceless.

    6. Re:Shrug by petermgreen · · Score: 4, Interesting

      ways in which IPv6 sucks or sucked.

      1: mechanisms for interoperability were bolted on later, not included as core features that every client and router should support and enable by default. The result is that relays for the transition mechanisms are in seriously short supply on the internet and often cause traffic to be routed significantly out of it's way.
      2: the designers were massively anti-nat, as a result we don't have any interoperability mechanisms that go with the flow of NAT, instead we have two incompatible interoperability mechanisms one of which doesn't work with NAT at all and the other of which makes itself unnessaceraly fragile by fighting the NAT rather than going with it. The company behind the latter mechanism also disabled it by default for machines on "managed networks"*, presumablly because they were afraid of annoying corporate network admins.
      3: there was lots of dicking around with trying to solve other problems at the same time rather than focusing on the core problem of address shortage. For example for a long time it was not possible to get IPv6 PI space because of pressure from people who wanted to reduce routing table size. Stateless autoconfiguation and the elimination of NAT seemed like good things at the time but they raised privacy issues and added considerable complexity to home/small buisness deployments.
      4: there was little incentive to support it and so the time when you can use an IPv6 only system as a general internet client or server without resorting to transition mechanisms seems as far off as ever.

      * Defined as any network with something windows thinks is a domain controller.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    7. Re:Shrug by neoform · · Score: 2

      JSON is very simple, but it's also very strict. A single typo will result in no data being readable.

      --
      MABASPLOOM!
    8. Re:Shrug by hab136 · · Score: 2

      You forgot DHCPv6 being rejected because stateless autoconfig/RAs would be enough - except you couldn't get DNS or PXE boot info that way because it's not part of routing, so couldn't be included in router advertisements (politics, not technical). So, DHCPv6 was bolted on after.

    9. Re:Shrug by CastrTroy · · Score: 3, Interesting

      The "problem" with HTML and browsers is that they have always worked with, and will always be expected to work with invalid code. Feed invalid code into a C compiler, a Java compiler, or XML interpreter, and if the syntax is incorrect, it will return an error and refuse to process anything. Browsers on the other hand are supposed to take invalid HTML and try to do something useful with it. If browser developers didn't have to spend so much time trying to make their code interpret invalid syntax, they could probably fix a lot of the other bugs that actually affect valid code.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    10. Re:Shrug by mwvdlee · · Score: 2

      OTOH, A typical web developer has to spend a lot of time trying to create a single HTML codebase that works across all browsers.
      Restrictive syntax validation in browsers wouldn't be as big a problem if all browsers could agree on what that syntax actually does.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    11. Re: Shrug by jeremyp · · Score: 2

      This is utter nonsense. XHTML is not a an HTML renderer, it is a standard for an XML document format.

      If your browser misrenders an HTML4 document because it thinks it is XHTML, the problem is either the browser itself which can't distinguish different document types or the person who wrote the web page and erroneously put the xml processing instruction at the top.

      --
      All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
    12. Re:Shrug by Dragonslicer · · Score: 3, Interesting

      They just tools that write it for them after drawing it in Photoshop.

      Should that be "they just use tools" or "they just are tools"?

      Yes.

    13. Re:Shrug by jandrese · · Score: 2

      This was the dumbest thing. Not including the basic DNS functionality in the router advertisement--on a protocol utterly dependent on DNS because the addresses are so ugly--was a colossal blunder. Even then, stateless autoconfig has no mechanism to notify the DNS of the address it chose, so good luck populating a DNS server. Sure you don't need a hostname if you're purely a client, but that's far too narrow a view for how people actually use networks. I like a lot of what IPv6 does and think that in 10-15 years v4 will be a historic relic used in legacy networks and by old equipment, but it has some ugly warts right now.

      I understand that the designers thought DNS was "just a service", but it's not. It a mapping tool for addresses at the IP layer. It's right there and more importantly, it has direct interaction with the IP layer. It should have been at the table during the IPv6 development.

      --

      I read the internet for the articles.
  2. HTTP isn't why the web is slow by Anonymous Coward · · Score: 5, Insightful

    A typical "modern" web site loads untold numbers of scripts and other files from dozens of domains, mostly for tracking, A/B testing and other things that the user doesn't want or need. That's what makes the web slow. I don't think HTTP is a particularly nice protocol, but HTTP/2 is taking a bad protocol and making it worse by "optimizing" it, while the real bottleneck is obviously somewhere else.

    1. Re:HTTP isn't why the web is slow by Austerity+Empowers · · Score: 5, Funny

      I was unable to read your post because it didn't contain any pictures to look at or a monkey I could punch.

    2. Re:HTTP isn't why the web is slow by greg1104 · · Score: 5, Insightful

      Whenever I bring a new computer up, I'm shocked all over again at just how slow browsers are before ad blocking is enabled. On most sites, all of the real content is there long before all of the ad and tracking content arrives. Today, nothing speeds up a slow computer and connection like Adblock Plus.

    3. Re:HTTP isn't why the web is slow by mellon · · Score: 2

      Personally I have no opinion about HTTP/2, but I have to say that this anonymous hit piece looks a lot like some IETF participant who didn't like how the process came out trying to create the appearance of consensus against it by pumping up the anger of the interwebs without actually saying what's wrong with the spec. When I see people making statements not supported by explanations as to why we might want to consider them correct, my tendency is to assume that it's hot air trying to bypass the consensus process.

      It's also a bit annoying to see the IETF accused of having published a document advocating snooping when in fact someone floated that idea in the IETF and it was shot down in flames, and what we actually published was a document stating that snooping is to be considered an attack and addressed in all new IETF protocol specifications (RFC 7258).

  3. Alarmist much? by Anonymous Coward · · Score: 2, Interesting

    I think the submitter doesn't like Google.

    First, 'SPDY was a very good prototype' followed by 'the most hideous of SPDY's warts removed' was summed up with 'the IETF can now claim relevance and victory by conceding practically every principle ever held dear in return for the privilege of rubber-stamping Google's initiative.'.

    Adopting and modifying a demonstrably working improvement for a standard is no cause for ire. Besides, this is the IETF we're talking about, be glad this is a modicum of improvement and not as blatant as something like this. http://arstechnica.com/security/2013/12/critics-nsa-agent-co-chairing-key-crypto-standards-body-should-be-removed/

    1. Re:Alarmist much? by BlackHawk-666 · · Score: 2

      You can if you install Ghostery https://www.ghostery.com/en/

      I also recently switched to Duck Duck Go, since I'm sick to death of all the spying and tracking my internet habits attract.

      Include AdBlock of some sort, and you've just made the internet a much nicer place again (assuming you stay off Facebook and Twitter ;-> ).

      --
      All those moments will be lost in time, like tears in rain.
  4. Microsoft doth protest too much? by Anonymous Coward · · Score: 2, Insightful

    I see no hidden agendas possible in this article. No, really..

    1. Re:Microsoft doth protest too much? by shutdown+-p+now · · Score: 2

      Given that IE11 already supports SPDY, and the pre-release version of IE12 in Windows 10 supports the current HTTP/2.0 draft, that would be a very strange way to protest, and with no clear reason.

    2. Re:Microsoft doth protest too much? by shutdown+-p+now · · Score: 2

      Oh, and apparently it's an article by Poul-Henning Kamp. You know, the guy who wrote like half of FreeBSD.

  5. Anonymous submitter plagiarised ACM Queue article by Anonymous Coward · · Score: 2, Informative

    This was written by Poul-Henning Kamp, and published in the ACM Queue.

    Intosi

  6. Article quoting a troll? by mysidia · · Score: 2

    Criticisms belong in the IETF discussion forum, but as long as the protocol is an improvement over HTTP/1, then this is progress. Sorry, PKH, about the Not Invented Here.

    Yes, if the improvement to be made is great and Google or a 3rd party has already done enough work to have good results, then the standardization process should be expeditious, and if the IETF wishes to stay relevant, they should work to provide technologically better standards at a reasonable pace.

  7. Proposals and running code by Lennie · · Score: 3, Interesting

    The Tao of IETF still mentions:
    "We reject kings, presidents and voting. We believe in rough consensus and running code"
    http://www.ietf.org/tao.html

    Maybe it's just me, but might it apply here ?

    Before the httpbis working group started looking at proposals for HTTP/2.0 SPDY was already implemented and deployed in the field by mutliple browser vendors, library builders for servers and several large websites. A bunch of research documents was written. And a protocol specification document draft existed. SPDY wasn't created in the open perse, but it was iterated with the help the community.

    So the IETF WG let people suggest proposals:
    http://trac.tools.ietf.org/wg/...

    And then they voted.

    SPDY got selected.

    Also the SPDY draft was used as a basis for writing the new HTTP/2.0 draft.

    Is anyone surprised ?

    There might fundamental parts of the protocol which might have turned out differently if they would have gone through a open collaborative process.

    But at first glace it doesn't look that bad.

    I can see the appeal of rubberstamping what already exists.

    --
    New things are always on the horizon
    1. Re:Proposals and running code by dackroyd · · Score: 3, Insightful

      But at first glace it doesn't look that bad.

      I can see the appeal of rubberstamping what already exists.

      That's the real problem with the proposed protocol; it solves today's problems for todays computers. It doesn't attempt to look ahead and solve problems that should be solved over the next ten years.

      Seeing as it's going to take a few years and a huge amount of effort before HTTP 2 is widely adopted, we're going to need to start working on a replacement for it's even finished its rollout.

      Poul-Hennings has written his thoughts on the problems that actually should be solved in the next version of HTTP: http://phk.freebsd.dk/words/ht...

      The fact that the IETF has decided to ignore those problems so that HTTP 2 can be pushed out the door is what makes the situation be such a joke. Almost the only entities that will benefit from having HTTP 2 in the next 5 years are companies that have a web presence on the same scale as Google, Facebook, Twitter etc. that will save a small amount of money through reduced bandwidth costs.

      For everyone else, rolling out HTTP 2 will be a massive initial and ongoing technical burden, with almost no benefit.

      --
      "Free software as in beer, copy protection as in racket" - Telsa Gwynne
  8. versus 20 years for IPv6. 2002 cutover to IPv6 by raymorris · · Score: 4, Insightful

    HTTP/2, like Java, was written with the time frame in mind, ad it was decided that it's better to release a good specification soon than insist on a perfect specification that's never finished and deployed. There is a reason for that - a number of reasons, actually, but the #1 reason is IPv6.

    On April Fool's day 2002 I announced that the backbones, root name servers, and other core infrastructure would be doing a cutover to IPv6 and we expected a few hours of downtime for the internet as a whole. The story was believable because IPv6 had been in the works for a couple of years and switchover at that point seemed logical, if the reader wasn't a network engineer.

    Thirteen years later, 95% of internet traffic is still IPv4. Ten or twenty years from now, do we want to be using a better version of HTTP, or still be using HTTP/1.1 and talking about HTTP/2?

  9. HTTP/1.1 is just fine by allo · · Score: 2

    Or at least something backward compatible, no stinking binary protocols.

    Compression? Bandwidth is bigger and cheaper than ever. So why?
    SPDY had in the first draft the nice feature, to require TLS, which was dropped, too. So not even this advantage stays there for spdy/http2

    1. Re:HTTP/1.1 is just fine by wonkey_monkey · · Score: 3, Informative

      Compression? Bandwidth is bigger and cheaper than ever. So why?

      Because it's faster whether or not you've saturated your bandwidth, for a start. Secondly, just because you're not paying for your internet traffic by the megabyte, doesn't mean no-one else is along the way.

      Lastly - why not?

      --
      systemd is Roko's Basilisk.
    2. Re:HTTP/1.1 is just fine by DarkOx · · Score: 3, Insightful

      Bandwidth is bigger and cheaper than ever. So why?

      In places where its being delivered by cable to the edge or damn near to the edge yes. The rest of the world not so much.

      Think about. Anywhere dense enough AND stable enough pretty is pretty well covered for highspeed Internet access.

      The problem is everywhere else, is being more and more covered by Cellular. There is only so much spectrum, there are laws of physics that place caps on just how much information can be sent there.

      So you have trouble on both ends. You have very high population places, us westerners might think of as slums where people want to run lots of cellular radios. You can only get so far with micro cells and wifi. After all the micro-cell or wifi have to connect to something. If the cell is to small you could have just pulled the cable or fiber in.

      Ditto for sparsely populated areas. You again get lots of people on one tower there as well (but using more TX power) again because its only economical and practical to put so much density in. Satellites have essentially the limitations.

      We are approaching the point were many of high bandwidth have nots are likely to remain have nots pretty no matter what policy well meaning pols come up with it; because at some point basic economic reality slaps you in the face. Yes there is still plenty of USA to cover, we got just about everyone power and phone 60+ years ago, fast Internet will get there too but it will take time.

      I don't think we should let trying to keep bandwidth requirements held to a minimum stand in the way of solving real problems and doing new things, but I also don't think its a good or fair idea to just completely say "fuck it" with regard to something like protocol overhead.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    3. Re:HTTP/1.1 is just fine by 0123456 · · Score: 2

      There's a much, much easier way to reduce mobile bandwidth usage.

      Block ads.
      Block tracking Javascript.
      Block all the crap, other than the actual content you're actually trying to download.

    4. Re:HTTP/1.1 is just fine by Bengie · · Score: 2

      Many web servers disable compression because it leaks data and has been a security threat for a while now. It has been mentioned before that IPSec implements compression, VPN implements compression, HTTP, and the files transferred over HTTP, like images. How many times does data need to be compressed? Once. We have too many layers recompression the same freaking data. Find a layer, do it all there.

    5. Re:HTTP/1.1 is just fine by DarkOx · · Score: 2

      modern web sites goes to content

      Sites maybe. Applications on the other hand stand to gain considerably. Watch some "modern" application sit there and make 100's of ajax requests for 14 lines of JSON and get back to me. For something web based trying to show any real-time information those headers can be 30% of the traffic.

      As far as tooling I am not that worried, there will be plenty of accepted widely used tools available to dump web headers if the protocol went binary. I have never had anyone question if tcpdump is decoding ether frames properly. Once a few good libraries for C/Java/Ruby/Perl/Python are written stuff will just use them and all our tools will just get a point release.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  10. HTTP/1.1 good enough? by codealot · · Score: 4, Interesting

    Two remarkable things about HTTP/1.1.

    One, it remained a relatively simple protocol. Yes there are a lot of nuances around content negotiation, transfer encodings and such but at its core it is a simple, flexible and effective protocol to use, and can be implemented quite efficiently via persistent connections and pipelining. It was designed for response caching as well, and the CDN infrastructure is in place to make use of caching whenever possible.

    Two, despite the simplicity of HTTP/1.1, a shocking number of implementations get it wrong or don't use it efficiently. Pipelining is disabled in many implementations due to compatibility concerns, and few applications can use it effectively. Many applications make excessive and unnecessary use of POST requests which are inherently not cacheable and result in many synchronous requests performed over high-latency connections. (SOAP was notorious for that.)

    I'm skeptical that any protocol revision can improve on HTTP/1.1 sufficiently without making it harder to implement correctly than it already is.

    If there were a broad initiative to begin to use the features of HTTP/1.1 properly, as they were designed, most of the shortcomings would vanish without the need for a new protocol.

    1. Re:HTTP/1.1 good enough? by Anonymous Coward · · Score: 2, Insightful

      As an implementer of HTTP/1.1 and participants of the HTTP WG, I can say that HTTP/1.1 has many defects, the worst one is that people *think* they get it right without reading the docs. When you read the docs, you realize how many corner cases you can accidently get into. Most of them are caused by the inheritance of HTTP/1.0 where content-length was not needed. Other important issues concern the need to differenciate idempotent vs non-idempotent requests when you want to reuse an existing connection. It goes as far as requiring the client to retry if the server closed too fast, but not always, only if it's safe, and basically only the user really decides if it's safe... Ambiguous parsing is also a major concern. Many implementations think that the "Connection" tokens are case sensitive while they're not since they're supposed to be header names except for "close" which is not. Some don't understand "Connection: Close" because of this. Header folding with commas is an issue since you don't know what header contains multiple values and what header contains a single value which contains commas (eg: date). Just pass two content-length values and pray for the right one to be correctly parsed, otherwise the rest of the body will be understood as a next request. Date headers are hard to parse. Host header is a hell. Just pass two of them to have fun with some sites, or pass "Connection: host" and see some of them dump the root of the virtual hosting directory. Headers length is unlimited and can be folded on multiple lines if the next line starts with a space or a tab (which does not count in the value). So no, HTTP/1 is not good. And that's why it succeeded. In history most success results from not good designs, but the ones that are easy to get approximately right in a short time, ie: write a vulnerable server in CGI scripting. This is the part where HTTP/2 improves things. But some other parts are worse.

      Willy

  11. What he's not telling you... by Anonymous Coward · · Score: 2, Interesting

    What PHK is not telling you is that he fought, successfully, against mandatory encryption in HTTP/2.

  12. Re:Accept IPv6 and build for it. by unixisc · · Score: 3, Interesting

    I'd argue that IPv6 is a variable availability problem, unlike Y2K. Y2K had a single cutoff date for everybody - 1/1/2000, as opposed to the various dates that the RIRs are running out of. Which is why Asia and Europe were already there, and ARIN just got there last year.

    It is a good idea to start designing in IPv6 networks and introducing them in organizations now before running out of IPv4 addresses. That way, services can make use of IPv6 addresses, while the IPv4 addresses can be just transition addresses b/w IPv6 and IPv4 points.

    Even NAT, or more precisely, NAPT, is now available for IPv6 if people must have it: it eliminates many:1 mapping which was the main issue w/ IPv4, but has all the other advantages that NAT does.