More than three years after it was first proposed, the third major version of the Hypertext Transfer Protocol, HTTP, has been adopted as an Internet Engineering Task Force (IETF) standard.
As is common, adoption of HTTP/3 has run ahead of the formal standards process.
While only this week published as RFC 9114, HTTP/3 is already in use, having been progressively implemented in major browsers since December 2019 (Apple Safari supports the protocol but it is currently disabled by default).
The major change HTTP/3 brings is its support for Quick UDP Internet Connections (QUIC) which Google first revealed in 2013.
As RFC 9114 explains: “The QUIC transport protocol has several features that are desirable in a transport for HTTP, such as stream multiplexing, per-stream flow control, and low-latency connection establishment.”
By putting web traffic on UDP instead of the Transport Control Protocol (TCP), QUIC cuts down on the handshaking needed to establish a connection, a feature particularly important on mobile networks.
QUIC also follows the IETF’s long-standing practice that new standards should encrypt user traffic as far as possible, an aim of the body ever since its 2014 declaration that "pervasive monitoring is an attack".
As Cloudflare explains in this post, QUIC’s “encryption by default” represents “a huge upgrade from HTTP/2 — and will help mitigate the risk of attacks”.
“It also encrypts metadata about each connection, including packet numbers and some other parts of the header, to help keep information about user behavior out of attackers’ hands,” Cloudflare’s post continues.
“Encrypting this data helps keep actionable information about user behaviour out of attackers’ hands.”
In this analysis, Cloudflare says while it still lags HTTP/2 by a considerable degree, HTTP/3 overtook HTTP/1.1 traffic in July 2021.