What to expect from HTTP/3

, 3 minutes to read

We barely de­ployed HTTP/2 and we are al­ready talk­ing about HTTP/3. The web is mov­ing very fast these days and its users will ben­e­fit from that. In fact, Chrome is al­ready us­ing HTTP/3 if you are con­nect­ing to Google’s servers. The pro­to­col has been in de­velopment and tested in pro­duc­tion en­vi­ron­ment for years un­der the name of QUIC. It sup­presses TCP and is built up en­tirely on UDP. And the best in the end – en­cryp­tion is manda­tory (at least for the time be­ing).

Isolated streams

HTTP/2 in­tro­duced mul­ti­plex­ing, which is use­ful, be­cause it al­lows trans­fer­ring of mul­ti­ple streams over a sin­gle con­nec­tion. But when one of those streams lost a sin­gle packet, the whole con­nec­tion pre­vents progress on all its streams. It’s a lim­i­ta­tion of TCP which wasn't in­tended to use mul­ti­ple streams. There­fore HTTP/3 in­tro­duced whole new stack on the top of UDP. A lost packet af­fects only the stream in that packet. Other streams can con­tinue to progress.

Persistent connection

Run­n­ing long run­n­ing con­nec­tions will be fi­nally pos­si­ble when your de­vice is mo­bile.

NAT rebinding

In the IPv4 world, a sin­gle IP ad­dress can have mul­ti­ple web­servers be­hind it. The prob­lem is that when you estab­lish a con­nec­tion the sec­ond web­server be­hind the NAT, the first con­nec­tion will time­out be­cause the source port of your IP ad­dress has changed.

QUIC will estab­lish only one con­nec­tion to NAT and end­points will be re­spon­si­ble for iden­ti­fy­ing con­nec­tions. This con­cept is called con­nec­tion ID.

Connection migration

Cur­rently, when the de­vice switches from LTE net­work to Wi-Fi, the old con­nec­tion is lost, and new con­nec­tion must be estab­lished. HTTP/3 will of­fer a mi­gra­tion of the con­nec­tions to dif­fer­ent IP ad­dress.

Backward compatibility

The ap­proach is like HSTS mech­a­nism. First, the browser estab­lishes the con­nec­tion in HTTP 1.1 or HTTP/2 pro­to­col. Sec­ond, the server re­sponds with Alt-Svc header. Third, the browser will switch to QUIC and use it in the fu­ture.


Pri­vacy is a com­promise be­tween us­a­bil­ity and se­cu­rity. The bar of se­cu­rity ris­ing.

Always encrypted

TLS 1.3 en­cryp­tion is manda­tory. Yes, the sec­ond at­tempt. Let's see if it won't be re­moved for “per­for­mance” rea­sons.

Deflecting Reflection

Re­flec­tion at­tacks are based on spoof­ing vic­tim’s IP ad­dress af­ter be­ing com­promised. QUIC pro­to­col de­fines an ex­plicit source-ad­dress ver­i­fi­ca­tion mech­a­nism.