HTTP/2 2015 Retrospective

Back in December 2014 I did some experimenting with the then unfinished version of the HTTP/2 protocol with the H2O web server. I managed to the the server up and running with the built in PHP server to serve some HTTP/2.

While the first steps were rather academic, it's been an interesting year to follow how things have progressed from here:

Looking back at the year 2015, it's really been a very good year for the foundations of the web. In addition to HTTP/2 other significant technologies like PHP and JavaScript moved forward with the releases of PHP 7, ES2015, HTTP/2 support in PHP via Curl and more. Oh yeah, and no more Internet Explorer as Edge took over.

The HTTP/2 standard was closed in May 2015 and by the end of the year many of the critical vendors, browser and server, have support in place. Thanks to the pragmatic implementation of the protocol, guaranteeing backards compatibility, there are few reasons why not to upgrade to the latest version.

HTTP/2 foundations were set in 2015

In the case of HTTP/2 the clients have been the trailblazers. Mozilla and other browsers already had support for the draft versions of the browser going into 2015. At the end of the year Mobile OSes Android, iOS, and Windows all ship with HTTP/2 enabled browsers.

And on the desktop evergreen browsers have become the norm, with browser upgrading automatically to latest versions. This means that even the less technically savvy users will stay on the edge, helping the web as a whole move forward.

In the beginning of 2015 there were a handful of experimental options for HTTP/2 supporting web server. H2O was one of the first and still remains as the most feature complete implementation, started from a clean slate:

Why do we need a new HTTP server? The answer is because its performance does matter in the coming years. It is expected that the number of files being served by the HTTP server will dramatically increase as we transit from HTTP/1 to HTTP/2.

-- Initial release of H2O, and why HTTPD performance will matter in 2015

In addition to H2O maturing, already at version 1.6, other more established servers such as Apache, IIS and Nginx have all gained support for the protocol in their latest versions.

It will take some time for HTTP/2 to be enabled by wide in Linux distributions, and there are plenty of services that run incompliant servers. But these servers can be ran behind an HTTP/2 compliant SSL offloader to support the latest version of the protocol for outgoing communications.

HTTP/2 to go mainstream in 2016

Being a rather boring low level technology, HTTP/2 seems to have largely passed the hype train. Granted it lacks the pizzazz of 60 FPS animations and such, it'll be a big change on the global scale.

In addition to server and client support, a de-facto requirement for enabling HTTP/2 is secure HTTP over SSL. The process of purchasing and deploying SSL/TLS certificates continues to be somewhat cumbersome. And most importantly it has not been a hard requirement for launching a website.

There are two additional factors are set to lower the barrier of adoption in 2016 regarding HTTPS communications:

Free and easy to use SSL/TLS certificates

Content Delivery Networks (CDNs) adopting HTTP/2

Let's Encrypt is an initiative that aims to provide free SSL/TLS certificates. In addition to this, they provide an easy-to-use client for certificate management. Together with the excellent Mozilla SSL Configuration Generator it will help demystify HTTPS server deployments.

CDNs that help distribute content globally have become an option for any web developers, with pricing starting from free. These are essentially gateways to your web server, acting as a middle man inbetween. This is a perfect place to adopt HTTP/2 transparently and providers like Cloudflare have already done so.

It is worth noting that simply using a secure CDN connection only won't enable end-to-end encryption, so it shouldn't be counted on being a secure transport for sensitive information such as credit card details.

The groundwork of HTTP/2 has been set in 2015 and is a truly impressive group effort by a large number of people and organisations. Now I expect any devops / server admins worth their chops will start serving HTTP/2 by default whenever possible.

I can't recall such a rapid adoption of a significant protocol upgrade to the real world. We're set to enjoy the benefits in the years to come.

Written by Jani Tarvainen on Sunday December 6, 2015

Permalink - Tags: http2, web