Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Chrome Will Adopt HTTP/2 In the Coming Weeks, Drop SPDY Support

Posted by Soulskill on from the onward-and-upward dept.

An anonymous reader writes: Google today announced it will add HTTP/2, the second major version of Hypertext Transfer Protocol (HTTP), to Google Chrome. The company plans to gradually roll out support to the latest version of its browser, Chrome 40, "in the upcoming weeks." At the same time, Google says it will remove support for SPDY in early 2016. SPDY, which is not an acronym but just a short version for the word "speedy," is a protocol developed primarily at Google to improve browsing by forcing SSL encryption for all sites and speeding up page loads. Chrome will also lose support for the TLS extension NPN in favor of ALPN.

88 comments

  1. Might as well redesign HTML as well by mozumder · · Score: 0

    perhaps a binary data format, representing data in a database. This should be the next step.

    And then we replace Javascript with Swift.

    1. Re:Might as well redesign HTML as well by Anonymous Coward · · Score: 0

      If you think HTML can become binary data always fetched a database, you've never done any Web coding in your life. As for Swift, keep that on your iToys.

    2. Re:Might as well redesign HTML as well by BarbaraHudson · · Score: 4, Funny

      Don't give Lennart Poettering any more bad ideas. PLEASE !

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    3. Re:Might as well redesign HTML as well by Anonymous Coward · · Score: 2, Interesting

      HTML is horribly trivial to do via a database and templating.

      If it wasn't for how broken JS was in what it could - and can still - do, JS would be almost 100% used to make websites instead of actually manually writing crappy markup.
      HTML should have died years ago. Just like any XML storage system. It is a god-awful eyesore.
      Templating is a far saner method of creating websites. (which is why it has become a major standardized feature in HTML5)
      JS-generated is even better in that regard. (unless you are a library-using moron. Nice overhead you have there.)
      Binary, maybe a step too far, but storage-wise and CPU-wise, it would be immensely more efficient.
      But it is a bit too late now when a good portion of people have reasonably fast connections. It still doesn't mean that it isn't a good thing to pursue. Under 2 billion people even HAVE access. Extremely-low bandwidth is a Good Thing. (even more so for SERVERs)
      There has been many attempts of making a compressed, compact or binary version of HTML (I even made a crappy attempt I should upload some day), but none caught on for obvious reasons: it is extremely niche.

      JS itself needs to be split up.
      DOM-related JS should be one major chunk of it for one, which only needs the ability to create, delete, order and anything-else node related.
      This would instantly cut out 100% of abusive JS if you blocked other stuff, but still allow for interactive websites, EXACTLY WHAT WAS WANTED.
      The whole data verification thing is one of the most abused things in JS because so many crappy developers never checked their data server-side, leading to the billions of hacks that have happened over the years.
      But security has dropped in to a not-even-tertiary consideration when it comes to webdev these days. Shame since at the beginning of HTML5s development, security was a primary facet of it, rewriting practically every spec with security in mind.
      The biggest section that needs tidying up STILL is resource requesting. Biggest, most insecure area in webdev there is. It is a pure disaster.
      Iframes are about the only thing that has gotten any of that HTML5 goodness, but nothing else has been even touched besides the 3 different offline application specs.

      Of course, I am going to get some semantics nerd come in and cry about how you should separate your stuff.
      Or worse, some XHTML fanboy. Literally the worst thing to happen in Webdev. Thank FUCK XHTML2 died.

    4. Re:Might as well redesign HTML as well by epyT-R · · Score: 1

      Why not just distribute native binaries from an ftp site and be done with it? Then we don't need the browser, slow interpreted languages like php and javascript, and 40-100MB of ram just to display a page of text and some gfx. The binary connects to your database over TCP.

    5. Re:Might as well redesign HTML as well by JWSmythe · · Score: 3, Interesting

      Well, it could be. That's not necessarily a good idea.

      I did work under someone once who thought the future of web hosting would be to store all data in compressed blobs in databases. He had read somewhere that databases were faster than filesystems, and some other nonsense that made it sound like a good idea. Luckily, he never tried to implement it.

      --
      Serious? Seriousness is well above my pay grade.
    6. Re:Might as well redesign HTML as well by Anonymous Coward · · Score: 0

      I guess you don't know that HTML and CSS are plain text files that can be edited by anyone on any platform without any vendor lock-in.

    7. Re:Might as well redesign HTML as well by Carcass666 · · Score: 1

      perhaps a binary data format, representing data in a database. This should be the next step.

      And then we replace Javascript with Swift.

      I'm hoping you forgot the /s

    8. Re:Might as well redesign HTML as well by Anonymous Coward · · Score: 0

      I guess you don't know that "Plain Text" is just a subset of binary - one that happens to have a generic class of applications that know how to interpret it (Text editors).
      Other binary files can also be edited by anyone on any platform given a hex editor. Or you can use a more specific editor that understands the file format and provides additional convenience.
      If a non text replacement for HTML were to exist, then assuming it followed the current spirit of the web, it would be an open format for which anyone could create an editor.

      Not that I can see a non text replacement for HTML existing - I can't see any real benefit - particularly now that bandwidth is less of a problem and its more common for the DOM to be significantly modified or generated in code client side anyway.

    9. Re:Might as well redesign HTML as well by TheNinjaroach · · Score: 1

      This is the dumbest shit I've ever read on Slashdot. Congratulations!

      --
      I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
    10. Re:Might as well redesign HTML as well by Kjella · · Score: 1

      I guess you don't know that "Plain Text" is just a subset of binary - one that happens to have a generic class of applications that know how to interpret it (Text editors).

      Which is why FTP clients have a "Text" and "Binary" transfer method, sorry this brain fart dates back to the 70s if not further. Data is either analog or digital, digital data is either text or binary implying you can meaningfully edit it in a text editor. The results are not always sane as a Word/OpenOffice file is "binary", an XML file is "text" but that's the de facto jargon in computers.

      --
      Live today, because you never know what tomorrow brings
    11. Re:Might as well redesign HTML as well by Anonymous Coward · · Score: 0

      FTP clients have a "Text" and "Binary" type so that they can properly translate EOL and EOFs properly. Because of the difference between DOS/WIN and UNIX EOLs that exist in text files, they needed to be translated to be useful to the other OS. Binary skipped this conversion because it would have messed up anything with (13) and (10) in it.

    12. Re:Might as well redesign HTML as well by sjames · · Score: 2

      I think you need to think it through again. First you begrudge the few extra bytes for the markup (images and such are the bulk of http traffic, not the markup) but then you deride client side sanity checking which can save multiple transactions? Yeah, the server side should check sanity for security and the client should do it for speed and efficiency (and reducing wasted server load). Eliminate the client side sanity checking and you'll get no checking at all most of the time.

      HTML is here and it works. The JS will need some way to tell the browser what to render and HTML is as good a way as any.

    13. Re:Might as well redesign HTML as well by Anonymous Coward · · Score: 0

      Precompiled javascript hosted on a CDN is the fastest your going to see

    14. Re:Might as well redesign HTML as well by dave420 · · Score: 1

      You really have no idea why that's a terrible idea to even suggest, do you? Of course you don't.

    15. Re:Might as well redesign HTML as well by Anonymous Coward · · Score: 2, Informative

      In this case, "text" is short for "automatic conversion to/from ascii with CRLF line endings". That is, the sending side will convert from the local format to ascii with CRLF, and the receiving side will convert from ascii with CRLF to the local format.

      The local format may be ascii with LF, or even EBCDIC.

    16. Re:Might as well redesign HTML as well by Anonymous Coward · · Score: 0

      Well, look on the bright side: incompetence is rarely that obvious. Hearing that is enough for you to know who you're working under and start planning your move.

      Like when a "friend" refuses to pay you the 100$ he owe you. You can be pissed at the loss of 100$, or you can consider it a cheap price to find out the true nature of of the other guy.

    17. Re:Might as well redesign HTML as well by Shirley+Marquez · · Score: 1

      Google isn't likely to support replacing Javascript with Swift. Go, perhaps.

  2. Google's biggest problem is IH by Anonymous Coward · · Score: 4, Interesting

    Google has a big case of "Invented Here" syndrome.
    If Google started something, you can count on them dropping it.

    1. Re:Google's biggest problem is IH by Anonymous Coward · · Score: 1

      HTTPv2 = spdy

    2. Re:Google's biggest problem is IH by _merlin · · Score: 1

      Not really, it has a number of modifications, including dropping mandatory encryption.

    3. Re:Google's biggest problem is IH by epyT-R · · Score: 2

      I don't see that as an improvement.

    4. Re:Google's biggest problem is IH by _merlin · · Score: 1

      It is if you have constraints on server resources. Encryption costs CPU time, and it requires even more if you use forward security as people tend to since the Snowden revelations. If you're serving lots of public assets (think 4chan image CDN), requiring encryption would greatly increase the CPU resources you need.

    5. Re:Google's biggest problem is IH by epyT-R · · Score: 3, Insightful

      Yeah, I understand that. It's just unfortunate. I'd like to see more standards enforce proper crypto.

    6. Re:Google's biggest problem is IH by Anonymous Coward · · Score: 0

      It is if you have constraints on server resources. Encryption costs CPU time, and it requires even more if you use forward security as people tend to since the Snowden revelations. If you're serving lots of public assets (think 4chan image CDN), requiring encryption would greatly increase the CPU resources you need.

      Security is expensive, people need to just stop whining and learn to deal.

    7. Re:Google's biggest problem is IH by Trongy · · Score: 1

      I agree. Currently Chrome, IE and Firefox only support http/2 over TLS.
      Just because the standard doesn't enforce encryption, doesn't mean that servers and clients can't mandate encryption.

      http://en.wikipedia.org/wiki/H...

    8. Re: Google's biggest problem is IH by _merlin · · Score: 1

      But who's prepared to pay more (even just in terms of ad impressions) just so they can see their cat pictures? No-one's arguing that security isn't essential for your bank or whatever, but all this "free" shit actually costs money to deliver, and encryption would make it cost more.

    9. Re:Google's biggest problem is IH by sjames · · Score: 2

      At the same time, it makes no sense to hire armed guards to watch over a stack of flyers meant to be free to the public.

    10. Re:Google's biggest problem is IH by Anonymous Coward · · Score: 0

      It's an improvement over SPDY, but not over HTTP which already does not require encryption.

    11. Re:Google's biggest problem is IH by AmiMoJo · · Score: 3, Interesting

      They are only dropping it because HTTP/2 is largely based on SPDY but with some improvements. SPDY was always a research project designed to produce something better than HTTP/1.1, and it has. Job done, the replacement is here and an official standard, so why maintain the old SPDY code?

      More over, Google seems to be aggressively removing old stuff from Chrome to keep it from bloating too much. Netscape plugins have already gone. Blink dropped all the compatibility stuff in Webkit for old systems and browsers. My bet is that Flash will be removed in a year or two as well.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    12. Re:Google's biggest problem is IH by Anonymous Coward · · Score: 0

      Until unscrupulous people start dusting them with anthrax, or radioactive marking dust.

      Asshole carriers are already injecting their own http headers in into the content stream. There's also the meta-data harvesters who are poking in on what people are doing and tracking them.

    13. Re: Google's biggest problem is IH by Anonymous Coward · · Score: 0

      Encryption everywhere became necessary because of incessant spying and carriers injecting their own headers into the unencrypted content stream.

      The idea is that you make it where the assholes have to decrypt everything, including the cat pictures, in order to do anything.

    14. Re:Google's biggest problem is IH by Bengie · · Score: 1

      Cloudflare offers free HTTPS CDN services. I think you over estimate the "cost" of HTTPS.

    15. Re: Google's biggest problem is IH by Anonymous Coward · · Score: 0

      Google removed NPAPI plugin support primarily for their own interest. Don't kid yourself about altruism or improving the web.

  3. 1/2 requests,2x throughput, stop POST-Redirect-GET by Qzukk · · Score: 2, Insightful

    Will HTTP/2 have a response code that will cause the browser to display the page that is returned from the server AND change the "current url" (for bookmarking, refreshing etc) to an alternate Location? POST to /createnewuser, display the response immediately with the URL of /user/3813812. Refreshing loads /user/3813812, not re-POSTing to /createnewuser.

    Right now, the current paradigm of having to either redirect every single POST request to a new URL or risking users too stupid to know that they really need to not press reload on the page after saving something is a drain on server resources one way and support resources the other.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  4. Re:1/2 requests,2x throughput, stop POST-Redirect- by Chalnoth · · Score: 4, Interesting

    It's pretty easy to get around this issue with JavaScript, e.g. by using Angular. I think this is less a problem with the HTTP protocol and more a problem with website design.

  5. Re:Google's biggest problem is Brian Williams by Anonymous Coward · · Score: 0

    How long will the Brian Williams jokes last?
    Ask Brian Williams.
      Will Brian get his own internet meme? Not if Brian Williams gets it first.

  6. Re:1/2 requests,2x throughput, stop POST-Redirect- by viperidaenz · · Score: 1

    You could just only return the data required from the POST request and use client side code to render it, instead of reloading the entire page. Saving bandwidth, server-side processing and rendering time.

  7. Re:1/2 requests,2x throughput, stop POST-Redirect- by msobkow · · Score: 1

    Nothing is ever so simple. There are situations where you *want* POST to reprocess and refresh, such as when presenting statistics for a server. As a result the prototocol doesn't restrict you to one POST per page, and leaves it up to the server programmer to implement request id's to prevent duplicate execution when it needs to be prevented, rather than limiting the protocol to only allowing that behaviour.

    --
    I do not fail; I succeed at finding out what does not work.
  8. Re:1/2 requests,2x throughput, stop POST-Redirect- by Sowelu · · Score: 3, Informative

    What? POST is the non-idempotent one. See the table in http://tools.ietf.org/html/rfc..., section 8.1.3

  9. Backdoor collusion by Anonymous Coward · · Score: 0

    Color me paranoid but this sounds like Google is going out of there weigh too weeken encryption in transport. For "national security" in homeland, amirite? God save the homeland!

    1. Re:Backdoor collusion by Art3x · · Score: 1

      Color me paranoid but this sounds like Google is going out of there weigh too weeken encryption in transport.

      Color me hopeful, but this looks like you went out of your way to misspell four words in a row.

    2. Re:Backdoor collusion by swillden · · Score: 5, Informative

      Color me paranoid but this sounds like Google is going out of there weigh too weeken encryption in transport. For "national security" in homeland, amirite? God save the homeland!

      Huh?

      Google has pushed continually to increase the usage and the security of transport encryption. Google's SPDY, the basis for HTTP/2, was designed without any unencrypted mode; it's all TLS all the time. The IETF insisted on making unencrypted transport optional in HTTP/2, but you can be sure that Google won't take that option. Google's next-next generation replacement for HTTP, called QUIC, is a more radical redesign build on UDP rather than TCP, and also has no unencrypted mode. Encryption is baked so deeply into QUIC that it basically can't be removed. Google has also been instrumental in pushing the industry off of various weak versions of SSL/TLS, most recently leading the charge in removing SSL3 support. It was Google's researchers that brought Heartbleed, BEAST, CRIME and POODLE to light. Google Chrome was the first widely-used browser to implement certificate pinning, which was instrumental in the quick discovery of the DigiNotar CA compromise. Google engineers are working to develop a more final solution to the CA trust problem with the Certificate Transparency project. I could go on and on with all the great encryption-related work Google is doing (including my own small contributions to strong crypto on Android).

      I think there's an extremely compelling argument to be made that Google is doing and has done more for internet transport encryption security than any other entity for quite some time.

      (Disclaimer: I'm a Google security engineer, not a Google spokesperson. The above is not an official statement but only my -- very strongly held -- personal opinion.)

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:Backdoor collusion by gbjbaanb · · Score: 1

      Mostly pointless though, full encryption for data comms is often worthless - who cares about encrypted comms if all you're doing is looking at pictures of cats. When you're posting subversion messages criticising your local dictator, you need something better than plain old encryption anyway.

      Now working with certificate authorities to manage revoked certificates is a good thing, but many of the problems with CAs are a more human problem - until we get to a point where encryption is seen as different to authentication (and even then, my comms with my bank might be encrypted but I need to know that it is my bank I'm talking to as well) and that the CA correctly handed that certificate to my bank, and not some scammer pretending to be my bank. And allowing my bank to verify that it is me that is sending them requests and not some identity thief.

      The point I'm trying to make is that encryption isn't the problem that need to be solved, it all the infrastructure around it that does. Mandatory encryption isn't any solution to anything useful.

    4. Re:Backdoor collusion by Anonymous Coward · · Score: 0

      If you want anonymity and secure communication then it does help a lot if everybody us using encryption to everything, otherwise your encryption stands up in the mass of clear text communications.

    5. Re:Backdoor collusion by swillden · · Score: 1

      The point I'm trying to make is that encryption isn't the problem that need to be solved, it all the infrastructure around it that does. Mandatory encryption isn't any solution to anything useful.

      Encryption is almost never the solution. As Schneier said "If you think cryptography is the solution to your problem, you don't understand cryptography, and you don't understand your problem." This is because cryptography merely moves problems. In the case of encryption it turns large secrets in to small ones. That actually is very useful, because the small secrets have different properties which in many case make them easier to manage.

      With respect to network communications, I agree that encryption doesn't solve any of the problems, but it moves and shrinks a lot of problems and makes many of them dramatically more manageable. Its purpose is to reduce the scope of access to your data, limiting the number and location of people who might be able to see it. This makes solving the problems dramatically easier. In some cases it doesn't make them soluble (e.g. it won't protect you from a nation state who is targeting you), but in other cases it does (e.g. it will protect you from non-targeted trawling by a nation state who can only force disclosure of data with good justification).

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  10. Re:1/2 requests,2x throughput, stop POST-Redirect- by Qzukk · · Score: 4, Interesting

    I think this is less a problem with the HTTP protocol

    Using onload="history.pushState(null, null, '/user/31813812');" certainly works, but now pushing the "back" button is the landmine instead of pushing refresh (not to mention users that turn off javascript). Being able to use javascript to pretend you're doing what the HTTP procotol should have done does not make it not a problem with the protocol.

    That said, the HTTP/1.1 protocol itself is fine. A user agent ought handle a 201 Created response exactly like this as a side effect (OK, so the response body is technically not a listing of places you can get the created object from, but it's supposed to be displayed to the user either way), but there are zero browsers implementing the Location part of it. Adding a response code explicitly for the purpose of "here is a response to display to the user right now, if the user wants to reload it, request this URL instead" would hopefully get browser developers to say "oh, I see why we're doing this" and do it. Doubly so when they're writing a new implementation for a new protocol. At this point, I'd argue that the best thing to do would be to add something like "311 Content With Future Redirect" so that browsers that don't implement it continue with 3xx POST-Redirect-GET semantics (losing nothing) and browsers that do understand it will work.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  11. Luke! by Etherwalk · · Score: 5, Funny

    Color me paranoid but this sounds like Google is going out of there weigh too weeken encryption in transport. For "national security" in homeland, amirite? God save the homeland!

    I feel a great disturbance in the internet, as if millions of spellcheckers cried out in terror and were suddenly silenced.

    1. Re:Luke! by freeze128 · · Score: 1

      computer voice recognition just isn't good enough.

  12. Re:1/2 requests,2x throughput, stop POST-Redirect- by cheater512 · · Score: 1

    Erm, but in that instance POSTing then doing a GET makes sense.

    The POST creates the new user.
    The GET retrieves the information for user 3813812.

    How are those two things the same? That is exactly how it is supposed to be done.
    If your server can't handle that 'additonal' load very well, then I've got a 486 upgrade I'll donate for free.

  13. Re:That will cause the browser by Bite+The+Pillow · · Score: 1

    That will cause the browser

    First, browser developers are in charge of browser behavior, not a protocol. RFC may say "should", or "must", but browser implementers don't have to do that.

    There is a need for this, but your question is whether the standard requests, or requires, the feature. Your other, unasked question, is whether any development team has committed to respect the "required" or "must" statement from the RFC.

  14. Re:1/2 requests,2x throughput, stop POST-Redirect- by Anonymous Coward · · Score: 0

    It's got nothing to do with server load. Useless roundtrips are bad, end of story.
    There's a _minimum_ of 300ms of latency for _any_ request to the USA from Australia - and there's nothing you can do about that. So every useless redirect and meaningless request slows down the user experience.

    It would make perfect sense for there to be a HTTP Method that was not intended to be idempotent (like POST), but that didn't result in a resubmission on reload (and also didn't results in a stupid browser warning about resubmission). A "OK, that succeeded and now I am showing you the resource at this URI" response would solve the problem perfectly.
    A reload would not resubmit, it'd just re-do the implied GET of the resultant resource, and back would take you back to the form prior to submission, _and_ there'd be no useless redirect in between. Win-win.

  15. Re:1/2 requests,2x throughput, stop POST-Redirect- by Qzukk · · Score: 2

    With modern frameworks and Java level classiness (here, have a mappingfactory class that instantiates the mapping class that maps the data from the form into the object returned from the factory class that produced the object being created) what happens is more like

    The POST creates a hospital, staffs it with receptionists, doctors, nurses, and so on. A pregnant woman (the request) goes in, the receptionist routes her to the OB ward where nurses help her into the stirrups and the doctor catches the baby. The doctor takes all the baby's stats, writes it on the birth certificate, drops the certificate into a pneumatic chute that whisks it away to safety (in the database) as the hospital and all its occupants are immediately vaporized by an explosion (if you're still using CGI, replace this with the entire sun going supernova. Add recreating the solar system to the beginning of the next request).

    The GET creates a hospital, staffs it with receptionists, doctors, cloning technicians, and so on. A woman (the request) goes in, the receptionist routes her to the cloning ward where the woman hands over the birth certificate that had been mailed to her, the doctor looks over the certificate and checks to make sure she's really supposed to have it (or not, given the state of security these days) then pulls out a cloning tank and reconstitutes a baby that is identical in every way (ideally) to the original and hands it to the woman. As the woman leaves the hospital baby in tow, it explodes behind her, action movie style.

    Or, y'know, you could just pass the new baby straight to a View and do all this with half the hospitals, doctors, receptionists and none of the cloning vats.

    then I've got a 486 upgrade I'll donate for free.

    Thanks! Once it can do the same task with half the number of requests, it'll work twice as well!

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  16. It looks like a good idea. by 140Mandak262Jamuna · · Score: 1
    Looks like all this protocol does is to allow the server to send more data than requested by the browser. Since the server "knows" more about the page to be rendered than the browser, it can pack more info and minimize wait times. The browser rendering can still do its slowpoke rendering, but when it wants the next bit of data or a frame, it is already in.

    Apparently this was already being done in a non-standard compliant manner but supported by all the browsers. The non-standard version, created and promoted by SPDY is going to be withdrawn and the standard-compliant version will be the only thing that will be supported in Chrome going forward. I would imagine it to be something like MsOffice has deciding to switch to ODF as the only supported format.

    Definitely not evil and consistent with not trying to be evil.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:It looks like a good idea. by byuu · · Score: 1

      I would imagine it to be something like MsOffice has deciding to switch to ODF as the only supported format.

      This is more like if Microsoft went to the ISO and handed them a minimally tweaked version of OOXML, called it ODF/2, and the ISO, fearing irrelevance, rubber-stamped it as quickly as possible.

  17. Re:1/2 requests,2x throughput, stop POST-Redirect- by cheater512 · · Score: 0

    Yep that sounds correct. That is the entire point of GET and POST being different.
    GET retrieves data, never alters it. POST alters data, never retrieves it.

    This is kinda HTTP 101. You might disagree, but then you'd be doing it wrong.
    You are using a perfectly good axe as a door stop then whining that your teaspoon isn't cutting down trees properly.

  18. No plans by damicatz · · Score: 0

    I have no plans to adopt HTTP/2. The mandatory fauxcryption (as implemented in the browsers) is a dealbreaker. Certificates are nothing but a scam and they certainly aren't trustworthy since the CAs are subject to the whims of cybercriminals and governments. All this does is increase the barrier to entry for having your own webpage.

    1. Re:No plans by byuu · · Score: 2

      In addition to greatly increasing costs (there are no free wildcard certs, and encryption does increase CPU workload, which decreases scalability), it also increases the barrier for writing your own tools to interoperate with the web (HTTP servers, clients, proxies, aggregators, etc.) If you've ever looked at the SSL libraries out there, all but the OpenBSD-only LibreSSL are a complete clusterfuck. This is the GnuTLS API, for instance. I won't even get into the security ramifications like Heartbleed. Whereas HTTP/1.1 can be spoken to by a human being using a telnet terminal, and even Commodore 64's have been made to serve up web pages.

      Sadly, modern developers have completely lost touch with the value of making things small and simple.

  19. Re:1/2 requests,2x throughput, stop POST-Redirect- by Qzukk · · Score: 1

    POST alters data, never retrieves it.

    Except for all of the cases where POST returns data, sure. There is absolutely no reason to destroy the result of creating a resource instead of returning the newly created resource with a flag "don't do that again".

    You are using a perfectly good axe as a door stop then whining that your teaspoon isn't cutting down trees properly.

    Meanwhile you're dulling the perfectly good axe to be sure that nobody cuts down your sacred tree.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  20. Re:1/2 requests,2x throughput, stop POST-Redirect- by cheater512 · · Score: 1

    If the 'axe' is perfectly good, then why are you requesting fundamental changes to HTTP web apps and every web browser just to save your 8080 web server one additional hit?

  21. Re:1/2 requests,2x throughput, stop POST-Redirect- by WaffleMonster · · Score: 1

    Erm, but in that instance POSTing then doing a GET makes sense.

    The POST creates the new user.
    The GET retrieves the information for user 3813812.

    Too many people seem to think it's cool to add round trips for some incoherent appeal to logical consistency.

    How are those two things the same? That is exactly how it is supposed to be done.

    Who cares? HTTP verbs are insufficient to express jack or jill and HTTP completely lacks any useful transaction semantics. REST in the abstract is a great idea... only problem is HTTP is shit and when you don't treat shit like shit you end up with shit. HTTP is simply the wrong layer to be toying with any kind of abstraction if you care about useful results.

    If your server can't handle that 'additonal' load very well, then I've got a 486 upgrade I'll donate for free.

    The actual problem is users suffering through yet another round of unnecessary round trips cuz 'GET' *feels* cleaner.

  22. Re:1/2 requests,2x throughput, stop POST-Redirect- by Shados · · Score: 1

    The paradigm and semantic is perfectly clean/correct. The roundtrip is just an implementation detail.

    The protocol could simply return the result of the post with a redirect, as well as the result of the get, in 1 response. Then under the hood even though you do a GET, the get "chunk" of the post result would get rendered. No additional roundtrip.

    This is already used in some context. Imagine I want to show you a server rendered image based on some query string generated in javascript or something (ie: nothing is known about the image to the initial page except how to request it). I also want to return the description of that image along with some metadata.

    I set the image url in an img tag. The image is shown to you. The description of the image is returned in metadata/headers/whatever. It is being requested by an img tag, so I don't get access to its data. I can then to an ajax request for that image, which will get served from cache (no additional roundtrip) and get the data that goes with it.

    (yeah, I could request the image and then set the data to the img tag. This was just a roundabout example).

    That technique works today, and for some edge cases, it is actually being used in the real world. Making a post -> redirect -> Get without roundtrip wouldn't be very different from existing paradigms.

  23. IE will kill it by Billly+Gates · · Score: 1

    Since IE 11 is end of life and so is the 2nd most popular browser IE 8 it will prevent adoption.

    The saga of short sighted ceos not wanting to loose customers who run old operating systems kills innovation again as win 7 will continue to exist for a long time and with it IE 11 and 8 for corps with old apps

    --
    http://saveie6.com/
    1. Re:IE will kill it by gl4ss · · Score: 1

      doesn't matter.

      as long as android and ios support it, the sites will implement it. it's not like it needs that much effort to anyways.

      --
      world was created 5 seconds before this post as it is.
    2. Re:IE will kill it by Anonymous Coward · · Score: 0

      http://blogs.msdn.com/b/ie/archive/2014/10/08/http-2-the-long-awaited-sequel.aspx

  24. Re:1/2 requests,2x throughput, stop POST-Redirect- by WaffleMonster · · Score: 1

    Yep that sounds correct. That is the entire point of GET and POST being different.
    GET retrieves data, never alters it. POST alters data, never retrieves it.

    Both assertions are false.

    This is kinda HTTP 101. You might disagree, but then you'd be doing it wrong.

    LOL if you disagree with me your doing it wrong. No arguing that.

    You are using a perfectly good axe as a door stop then whining that your teaspoon isn't cutting down trees properly.

    HTTP is a dull rusty blade attached to a termite infested rotted, split, splintered handle yet it is the only axe left in the world and the only way to cut down trees.

    It is unwise to attempt to use it properly as "intended" you will just break it and or injure yourself.

    Instructions included with moldy packaging the axe originally came in is only a useful as a reminder of old times before our Alien overlords swooped down from the sky and stole all of the worlds axes except one their computer failed to recognize as an axe.

  25. Re:1/2 requests,2x throughput, stop POST-Redirect- by WaffleMonster · · Score: 1

    The paradigm and semantic is perfectly clean/correct. The roundtrip is just an implementation detail.

    Like the rest of HTTP it is perfectly useless. No coherency nor atomicity nor any way to implement verbs beyond trivial "CRUD".

    The protocol could simply return the result of the post with a redirect, as well as the result of the get, in 1 response.

    Why is returning a pointer to data allowed while returning actual data itself not? This just sounds like bullshit.

    Then under the hood even though you do a GET, the get "chunk" of the post result would get rendered. No additional roundtrip.

    Or you can just return data and stop being silly.

    (yeah, I could request the image and then set the data to the img tag. This was just a roundabout example).

    It always is... I'll leave failure to communicate a coherent use case to speak for itself.

    That technique works today, and for some edge cases, it is actually being used in the real world. Making a post -> redirect -> Get without roundtrip wouldn't be very different from existing paradigms.

    But what is the point?

  26. Re:1/2 requests,2x throughput, stop POST-Redirect- by Shados · · Score: 2

    Post is the only non-indempotent of the major http verbs. Its one of the core difference between Post and Put and why when you create a new resource without a natural id, you use post, not put...

  27. Re:1/2 requests,2x throughput, stop POST-Redirect- by WaffleMonster · · Score: 2

    Post is the only non-indempotent of the major http verbs. Its one of the core difference between Post and Put and why when you create a new resource without a natural id, you use post, not put...

    What happens if you POST to a server and the response is lost? How does client know it was processed or not? The answer is you always need some kind of id/token/big word because non-idempotwhatever is not actually possible.

    The only thing POST is... is worthless... defective by design without specific and unnecessary application logic to deal with consequences of HTTP's total lack of a commitment procedure.

  28. Re:1/2 requests,2x throughput, stop POST-Redirect- by gbjbaanb · · Score: 1

    I think you're confusing the protocol verbs with a heap of javabollocks on the back end.

    In most systems GET occurs much more often than POST, and if you're returning to a system after logging off, you'll be doing a lot of GETs just to restore your environment (or page view).

    I think a POST+GET optimisation would be nice, but it would be an optimisation, a little like how some DBs have a 'insert, or update if already exists' statement. But you can already return data from a POST, it does break the concept but it works. Just slap the new data in the body and let the client read it if it wants, so maybe the protocol doesn't need any modification at all (your crappy framework code might though, but that's too bad for using those "easy-to-use" frameworks)

  29. Re:1/2 requests,2x throughput, stop POST-Redirect- by Anonymous Coward · · Score: 0

    Like the rest of HTTP it is perfectly useless.

    Then you'd better stop making posts to an HTTP-based discussion board.

  30. Re:1/2 requests,2x throughput, stop POST-Redirect- by Qzukk · · Score: 1

    Clearly we're not making posts to an HTTP-based discussion board because when we submit a POST request we get response data back that is then displayed on screen. Violating such fundamental principles of HTTP surely disqualifies it from being considered as such.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  31. Thanks 4 "tippin yer hand/showing me yer 'tell'" by Anonymous Coward · · Score: 0

    "(Disclaimer: I'm a Google security engineer" - by swillden (191260) on Tuesday February 10, 2015 @12:01AM (#49023323) Homepage

    See subject: That quote from YOU explains THIS from you to me -> http://yro.slashdot.org/commen... which is SO ironically LUDICROUS it's not funny - YOU FUCKING WORK FOR THE BIGGEST ADVERTISER THERE IS (see subject stupid) & that weak CRAP's the "best you got" & it ain't much fool!

    For such a "security engineer" (fucking ROOKIE little BOY), how come that was the "best you have" WITH A DOWNMOD OF MY POST too, vs. my points on Hosts Files BLATANT overall superiority http://yro.slashdot.org/commen...

    vs.

    AdBlock of ANY kind, what "YOU & YOURS" @ Google "espouse" + HELP TO CRIPPLE BY DEFAULT, SINCE YOU LOVE THAT IT'S CRIPPLED & YOU PAID BOTH AdBlock Plus & AdBlock OFF to NOT BLOCK ADS (a major source of malcode infestation/infection AND bandwidth stealing from end users)?

    APK

    P.S.=> ANSWER = You're petty, & WEAK (especially vs. myself) like all marketing/advertising douchebags always are, helpless to prove my points on hosts giving users more security, speed, reliability + anonymity even (to a lesser extent on the latter) than *ANY* single "so-called 'solution'" out there, since hosts do FAR MORE, with far less & now you've shown me YOUR FAVORITE COLOR = TRANSPARENT cuz as the saying goes? "I SEE YOU" for what you really are now, BOY!

    Thank you: Your "braggadocio" is your undoing & WILL be *VERY USEFUL* to myself in the future vs. your weak bullshit, lol (truth's got a way of coming out, now doesn't it?) ... apk

  32. Re:Thanks 4 "tippin yer hand/showing me yer 'tell' by swillden · · Score: 1

    Dude, my employer is mentioned on my /. profile; I've never made any attempt to hide it. And it really has nothing to do with being annoyed by your crapflooding. EVERYONE is annoyed by your crapflooding.

    It's fine that you like using a hosts file to block ads. Really. And it's even fine posting about it a time or two on relevant slashdot threads. If you kept it to a reasonable volume you'd probably even get modded up. But the crapflooding is obnoxious.

    Finally, my comment about an APK-block extension was a joke... but now you're making me think seriously about writing it.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  33. Prove these wrong Google Security Engineer by Anonymous Coward · · Score: 0

    Don't downmod again: Can adblock do 16 things hosts do for speed, security, & reliability:

    1.) Protect vs. malicious sites/servers (beyond ads: See 2-10 next)
    2.) Protect vs. fastflux botnets + stop communication to C&C servers
    3.) Protect vs. dynamic dns botnets + stop communication to C&C servers
    4.) Protect vs. DGA botnets + stop communication to C&C servers
    5.) Protect vs. downed DNS (adds reliability)
    6.) Protect vs. DNS redirect poisoned dns
    7.) Protect vs. trackers
    8.) Protect vs. spam
    9.) Protect vs. phishing
    10.) Protect vs. bandwidth caps
    11.) Get you past a dnsbl
    12.) Keep you off dns request logs
    13.) Speed up websurfing by adblocks & hardcoded fav. sites
    14.) Work on ANY webbound app (think stand-alone email programs) multiplatform.
    15.) Give you easily texteditor controlled data for the above
    16.) Do all that & block ads (better than addons) more efficiently in cpu cycles + memory usage

    APK

    P.S.=> ANSWER ="NO" to each above on Ghostery/AdBlock doing it as well or at all!

    BOTH do far less than hosts do & less efficiently - hosts by way of comparison, do MORE w/ less + Hosts start w/ the IP stack before REDUNDANT inefficient addons BEGIN to operate (as 1st resolver queried):

    AdBlock's 4++gb & 100% CPU usage flooring inefficiency -> https://blog.mozilla.org/nneth... + ClarityRay defeats it + it 'souled-out' & is crippled by default paid off to not do its job http://techcrunch.com/2013/07/...

    Ghostery's Advertiser owned - "A fox guards the henhouse"-> http://en.wikipedia.org/wiki/G...

    Both add complexity/room for breakdown/exploit + from a slower mode of operations (usermode = more messagepassing overheads vs. hosts in kernelmode).

    For the BEST hosts file?

    APK Hosts File Engine 9.0++ SR-1 32/64-bit -> http://start64.com/index.php?o...

    MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus http://www.av-test.org/en/news...

    ... apk

  34. 144++ MILLION annoyed by Google by Anonymous Coward · · Score: 0

    See subject: That's the # estimated using adblockers Mr. Advertiser!

    Why'd GOOGLE remove hosts from ANDROID Kit Kat too??

    ANSWER = Google's "tipped their hand" again on that one - you're AFRAID of hosts - you can't STOP them is why (buying 'em out like AdBlock isn't possible either).

    * Don't b.s. Mr. "plant" - I just turned your WEAK reply against you with WIDELY KNOWN FACTS!

    (You're running facts & A FAIR CHALLENGE too, despite your "alleged credentials" http://tech.slashdot.org/comme... )

    APK

    P.S.=> You're crapflooders @ GOOGLE infecting users with malicious code as advertisers & STEALING BANDWIDTH WE ALL PAY FOR MONTHLY!

    Think I haven't work for "big industry names" & that I KNOW they have "special people" put into forums like this to "comment on" topics dealing with their company like the AdBlock payoffs you were TOTALLY off topic spamming in boy (spinmasters & OFF TOPIC CRAP FLOODERS LIKE YOU HERE boy -> http://yro.slashdot.org/commen... ) ? Guess again - now, you're cornered boy... apk

  35. You're outnumbered 117++:1... APK by Anonymous Coward · · Score: 0

    "It's fine that you like using a hosts file to block ads. Really. And it's even fine posting about it a time or two on relevant slashdot threads. If you kept it to a reasonable volume you'd probably even get modded up. But the crapflooding is obnoxious. - by swillden (191260) on Wednesday February 11, 2015 @09:01AM (#49028337) Homepage

    UnknownSoldier, gl4ss, sootman, TestedDoughnut, TempestRose, lennier1, ScottCooperDotNet, Bill Dog, drinkypoo, Culture20, Rick17JJ, Ol Olsoc, icebraining, Trax3001BBS, fahrbot-bot, EdIII, bLanark, RocketRabbit, TheRealGrogan, Martin Blank, CAIMLAS. drakaan, Dynedain,Lime Green Bowler, Bob9113, wolrahnaes, raju1kabir, mrbcs, gweihir, frovingslosh, tepples, kimvette, Geeky, humanrev, maestroX, phrostie, ElectricTurtle, mattbee, VShael, AndGodSed, jafiwam, i.r.id10t, NeverVotedBush, falconwolf, BrokenHalo, orclevegam, cyberjock1980, gad_zuki!, furby076, jandrese, halcyon1234, Anonymous Admin, houghi, drooling-dog, dracocat, betterunixthanunix, someones, sqrt(2), cratermoon, bmo, fast turtle, Kris_J, SydShamino, Technician, pjkeyzer, srmalloy, schwit1, mrbcs, KingAlanI, ksemlerK, Scorch_, Mechanic, NealBScott, Anubis IV, crutchy, damn_registrars, couchslug, green1, wakeboarder, Gothmolly, lesincompetent, ls671, DigiShaman, P. Don, Yaa 101, qwertyatwork, dehole, Em Adespoton, CAOgdin, schwit1, MightyYar, RJFerret, idontgno, technosaurus, wickerprints, noh8rz10, sexconker, sandbagger, NewWorldDan, Karmashock, aNonnyMouseCowered, Dracos, keith_nt4, networkzombie, jafiwam, JohnFen, SigmundFloyd, EETech1, duck_rifted, The MAZZTer, Anonymous Brave Guy, plasm4, holophrastic, Baki, StikyPad, kermidge, & myself...

    * Same ones I crushed wannabe SECURIY GURU (LIKE YOU) raymorris (whom I am almost certain works for an advertiser redirector too) with (as he shot his mouth off about hosts) here http://it.slashdot.org/comment...

    APK

    P.S.=> See subject, & those /. users disagree w/ you - they use hosts (you're outnumbered bigtime) ... apk

  36. On being upmodded? You fail again #1 of 3 by Anonymous Coward · · Score: 0

    "If you kept it to a reasonable volume you'd probably even get modded up. But the crapflooding is obnoxious." - by swillden (191260) on Wednesday February 11, 2015 @09:01AM (#49028337) Homepage

    "Eat your words" (21/60 upmods of my hosts posts):

    http://ask.slashdot.org/commen...

    http://slashdot.org/comments.p...

    http://it.slashdot.org/comment...

    http://it.slashdot.org/comment...

    http://it.slashdot.org/comment...

    http://tech.slashdot.org/comme...

    http://tech.slashdot.org/comme...

    http://tech.slashdot.org/comme...

    http://yro.slashdot.org/commen...

    http://yro.slashdot.org/commen...

    http://yro.slashdot.org/commen...

    http://yro.slashdot.org/commen...

    http://yro.slashdot.org/commen...

    http://yro.slashdot.org/commen...

    http://linux.slashdot.org/comm...

    http://slashdot.org/comments.p...

    http://yro.slashdot.org/commen...

    http://mobile.slashdot.org/com...

    http://it.slashdot.org/comment...

    http://mobile.slashdot.org/com...

    http://it.slashdot.org/comment...

    APK

    P.S.=> What's that you said quoted above? Who's FULL OF CRAP (again)?? apk

  37. On being upmodded? You fail again #2 of 3 by Anonymous Coward · · Score: 0

    "If you kept it to a reasonable volume you'd probably even get modded up. But the crapflooding is obnoxious." - by swillden (191260) on Wednesday February 11, 2015 @09:01AM (#49028337) Homepage

    "Eat your words" (60 upmods of my hosts posts):

    http://yro.slashdot.org/commen...

    http://yro.slashdot.org/commen...

    http://yro.slashdot.org/commen...

    http://yro.slashdot.org/commen...

    http://it.slashdot.org/comment...

    http://yro.slashdot.org/commen...

    http://it.slashdot.org/comment...

    http://tech.slashdot.org/comme...

    http://hardware.slashdot.org/c...

    http://yro.slashdot.org/commen...

    http://tech.slashdot.org/comme...

    http://mobile.slashdot.org/com...

    http://news.slashdot.org/comme...

    http://tech.slashdot.org/comme...

    http://apple.slashdot.org/comm...

    http://it.slashdot.org/comment...

    http://it.slashdot.org/comment...

    http://it.slashdot.org/comment...

    http://yro.slashdot.org/commen...

    http://it.slashdot.org/comment...

    http://tech.slashdot.org/comme...

    APK

    P.S.=> What's that you said quoted above? Who's FULL OF CRAP (again)?? apk

  38. On being upmodded? You fail again #3 of 3 by Anonymous Coward · · Score: 0

    "If you kept it to a reasonable volume you'd probably even get modded up. But the crapflooding is obnoxious." - by swillden (191260) on Wednesday February 11, 2015 @09:01AM (#49028337) Homepage

    "Eat your words" (60 upmods of my hosts posts):

    http://tech.slashdot.org/comme...

    http://tech.slashdot.org/comme...

    http://tech.slashdot.org/comme...

    http://hardware.slashdot.org/c...

    http://tech.slashdot.org/comme...

    http://tech.slashdot.org/comme...

    http://tech.slashdot.org/comme...

    http://tech.slashdot.org/comme...

    http://mobile.slashdot.org/com...

    http://yro.slashdot.org/commen...

    http://games.slashdot.org/comm...

    http://politics.slashdot.org/c...

    http://yro.slashdot.org/commen...

    http://yro.slashdot.org/commen...

    http://tech.slashdot.org/comme...

    http://slashdot.org/comments.p...

    APK

    P.S.=> What's that you said quoted above? Who's FULL OF CRAP (again)?? apk

  39. swillden = "Run, Forrest: RUN!!!"... apk by Anonymous Coward · · Score: 0

    "Cat got your tongue"?

    Yes -> http://tech.slashdot.org/comme...

    Yes -> http://tech.slashdot.org/comme...

    Yes -> http://tech.slashdot.org/comme...

    Yes -> http://tech.slashdot.org/comme...

    Yes -> http://tech.slashdot.org/comme...

    * "Run, Forrest: RUN!!!!"

    (So much for "Google Security Engineer" wannabes...)

    APK

    P.S.=> Most importantly, per my subject, you're RUNNING from this -> http://tech.slashdot.org/comme...

    1. Re:swillden = "Run, Forrest: RUN!!!"... apk by swillden · · Score: 1

      LOL. I have another AC stalker. It's been a while. I kind of missed it. I'll definitely have to ramp up my posting volume to keep you busy.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  40. swillden = "Rinse, Lather, & Repeat"... apk by Anonymous Coward · · Score: 0

    "Run, Forrest: RUN!!!" -> http://tech.slashdot.org/comme...

    * What's the matter? You TROLL me -> http://yro.slashdot.org/commen... & can't take a little of your own medicine in return?

    (ESPECIALLY when it makes you "Run, Forrest: RUN", Mr. wannabe "security guru"?? Yes... THAT's the "best you've got"??? Again, it "ain't much" (Zero))

    APK

    P.S.=> Gotta LOVE these wannabes shooting their mouths off like swillden here & then they can't backup their b.s.! Proves me correct, EVERY single time (on all I've said above & on all the links posted's points)... apk

  41. swillden = "Run, Forrest: RUN!!!" by Anonymous Coward · · Score: 0

    "Cat got your tongue", Forrest? Yes (many times) -> http://tech.slashdot.org/comme...

    * You, & yes, GOOGLE, fail vs. myself... badly - VERY badly!

    (Too bad you troll myself as shown in those links, & then when you're faced with facts you can't get the better of? You run, or downmod posts rampantly, as all TROLLS like yourself always do...)

    APK

    P.S.=> You're only making me stronger... apk