HTTP3, the third official version of hypertext transfer protocol (HTTP), will not use the transmission control protocol (TCP) as did its predecessors. Instead, it uses the quick UDP internet connections (QUIC) protocol developed by Google in 2012.
QUIC is a transport layer protocol based on a multiplexed version of user datagram protocol (UDP) connections. Unlike TCP, UDP does not follow the TCP three-way handshake, but uses a single UDP roundtrip. Thus, the QUIC protocol exponentially improves any web component’s network performances as it uses UDP for every connection between the user-agent and the web server. Also, QUIC relies on multiplexing to manage multiple interactions between the user-agent and server seamlessly over a single connection, without any one blocking another, thus helping with performance improvements compared to its predecessors.
With several benefits from the performance and reliability perspective, HTTP/3 is considered the right way to go. From the security and privacy perspective, both benefits and limitations exist, with most being extensively detailed in the research arena. This article provides details on the benefits provided by HTTP/3 and some security considerations that must be taken into account.
Security features and benefits
The TCP protocol was designed to ensure that the payload encryption was present during the transmission, but the transport-specific information was still unencrypted, raising many security and privacy issues. The countermeasures designed and implemented to prevent these attacks are not on the TCP stack but on the network appliances and the middleboxes that handle the protocol and network. Additionally, the parsers built to overcome these issues in load balancers and other network appliances have serious performance issues and may limit the future network expansions that are rapidly evolving and depend upon network speed and reliability.