We barely deployed HTTP/2 and we are already talking about HTTP/3. The web is moving very fast these days and its users will benefit from that. In fact, Chrome is already using HTTP/3 if you are connecting to Google’s servers. The protocol has been in development and tested in production environments for years under the name QUIC. It surpasses TCP and is built entirely on UDP. And the best part – encryption is mandatory (at least for the time being).
Isolated streams
HTTP/2 introduced multiplexing, which is useful because it allows the transfer of multiple streams over a single connection. But when one of those streams loses a single packet, the whole connection prevents progress on all its streams. It’s a limitation of TCP, which wasn't intended to use multiple streams. Therefore, HTTP/3 introduced a whole new stack on top of UDP. A lost packet affects only the stream in that packet. Other streams can continue to progress.
Persistent connection
Running long-running connections will finally be possible when your device is mobile.
NAT rebinding
In the IPv4 world, a single IP address can have multiple web servers behind it. The problem is that when you establish a connection to the second web server behind the NAT, the first connection will time out because the source port of your IP address has changed.
QUIC will establish only one connection to NAT, and endpoints will be responsible for identifying connections. This concept is called connection ID.
Connection migration
Currently, when the device switches from an LTE network to Wi-Fi, the old connection is lost, and a new connection must be established. HTTP/3 will offer migration of the connections to a different IP address.
Backward compatibility
The approach is similar to the HSTS mechanism. First, the browser establishes the connection using the HTTP 1.1 or HTTP/2 protocol. Second, the server responds with an Alt-Svc header. Third, the browser will switch to QUIC and use it in the future.
Privacy
Privacy is a compromise between usability and security. The bar of security is rising.
Always encrypted
TLS 1.3 encryption is mandatory. Yes, the second attempt. Let’s see if it won't be removed for “performance” reasons.
Deflecting Reflection
Reflection attacks are based on spoofing the victim’s IP address after being compromised. The QUIC protocol defines an explicit source-address verification mechanism.