HTTP/2: The future of the Web demystified

Making the most of HTTP/2 will take a lot of work on the part of Web designers, IT admins, and server jockeys. Here's what to expect

1 2 Page 2
Page 2 of 2

Ops people will need to upgrade their Web servers. Web servers will need to be upgraded to support HTTP/2. Support for HTTP/2 is still in its infancy, and each major HTTP server is doing so on its own schedule.

Nginx already supports the HTTP/2 precursor SPDY and is planning to add formal support for HTTP/2 by the end of 2015. Microsoft’s IIS is set to support HTTP/2 in its next release, bundled with Windows 10 and, one presumes, the next iteration of Windows Server. Google donated its SPDY code to the Apache Foundation, which plans to make SPDY part of Apache HTTPD 2.4, thereby paving the way for HTTP/2 down the line.

Web frameworks will need to be upgraded. Web frameworks that sport their own embedded server must be upgraded as well. If you’re deploying with a large, commonly used framework, there’s a good chance it already has HTTP/2 support built in, and it simply needs to be enabled by choosing the right library or passing the proper options to it. The popular Node.js framework Express, for instance, already supports HTTP/2, although proposals do not yet appear to be on the table for how to update Python’s WSGI standard for HTTP/2.

Just because you upgraded to HTTP/2 doesn’t mean other people have. If you’re serving a site that pulls in content from third-party providers, such as a Web traffic tracking system, there’s no guarantee those connections won’t be served over HTTP/1.1. This will, again, theoretically make your site load slower than if you had been using HTTP/1.1.

HTTP/2 won’t add encryption for you. Even if we didn’t live in a post-Snowden world, mandating encryption for HTTP connections everywhere would in theory make it far harder to get away with many common kinds of attacks carried out via HTTP. In fact, there was discussion early on in the proposal process to make HTTP/2 connection encryption mandatory, but it lost out for a variety of reasons.

That said, the browser makers -- Firefox and Chrome in particular -- have elected to support HTTP/2 only over connections where TLS is present. Thus, to get the most out of HTTP/2, you’re best off deploying it with an encrypted connection, lest the people who’ll most benefit from it end up never using it. If the cost of a certificate is a stumbling block, the EFF and Mozilla are at work on a plan to provide free encryption certificates for all sites that want it later this year -- right around the time HTTP/2 itself has become a full-blown entity.

This is only the beginning

It’s true that we’re a little ways off from these issues. Many conditions still have to be satisfied: support on the client, support on the server, and support on all the infrastructure in between -- a tall set of orders to fill. Only then will we witness how HTTP/2 performs in the real world, with all the unexpected network congestion, buggy implementations, and ad hoc solutions that comes with the Web.

Old-school HTTP/1.1 won’t completely disappear for a long time. The infrastructure that emerges will have to deal with both standards side-by-side, in much the same way browsers had to be compatible with HTML 4, XHTML, and HTML 5.

HTTP/2 is no panacea. In the long term, there were likely be an attempt to address what HTTP/2 itself couldn’t -- or wouldn’t -- touch, such as encryption by default. Some harsh criticisms have arisen over the way HTTP/2 dropped support for security by default, but it’s possible that moving from HTTP/2 to HTTP/3 will make it far easier to support secure connections as a standard -- and with HTTP/2 itself the fallback for situations where that isn’t possible.

For Web engineers, one of their next missions will require keeping an eye on how HTTP/3 -- whenever it arrives -- can advance the state of the art for all Web users, as elegantly as possible. But in the short run, they’ll have their hands full, both making the switch to HTTP/2 and working with everyone else doing the same.

1 2 Page 2
Page 2 of 2