Should the IETF ship or skip HTTP 2.0?
Should the IETF ship or skip HTTP 2.0?
Posted Jun 6, 2014 21:40 UTC (Fri) by job (guest, #670)Parent article: Should the IETF ship or skip HTTP 2.0?
(By the way, I'm far from convinced that stream protocols along the lines of SCTP isn't a better way to achieve stream multiplexing. Sure, there would be compatibility problems, but the endpoint could choose to use it only when available and let the problems sort themselves out over the next decade. It's not as if there isn't firewall issues with SPDY.)
The most glaring omission with HTTP must be session management. This has been bolted on with cookies, but that does not work very well in practice. It makes it very difficult to know when you can serve cached documents, since cookies can carry all sorts of meanings. It's security semantics is all over the place and they can leak a thousand ways -- not to mention the gouge-your-eyes-out rules on which domains get to use them. Nobody uses HTTP authentication for public web sites simply because there is no login session management. That is why we can't have nice things such as SRP. Instead we send passwords back and forth over the wire. In 2014.
So there's plenty work to do that could improve security and reliability in obvious ways. But instead we get ... multiplexing and compression? That may shave off a few bytes here and there? That's close to useless. Most sites could with a single run of pngcrush do an order of magnitude better. Even Google, who supposedly runs a tight ship, could shave off thousands of bytes on every home page request of they structured their markup a bit tighter. But they don't. Because it doesn't matter.