Quote:
Originally Posted by Larry Legend
There seems to be a lot of controversy on certain security implications.
I'm not sure if there is pushback on it basically being a Google spec via spdy, and if the security stuff is for real. It looks like there is a proposal out there that eliminates a major security concern.
The bitching I've heard is mostly along the lines of the fact that period allocated to designing the spec was so short that they basically had to take something that already existed (spdy)
Security wise, I dunno. It's not in the standard but due to adoption practices it'll be TLS only. I think it's missing opportunistic encryption, which some people wanted.
Quote:
When I asked about it to a slack channel I'm on some guy immediately bashed it for having security issues and optimizing at the wrong level. He's also a super ahole blowhard so I didnt just trust him and did my research to understand his position but it does seem like a decent gripe?
Optimizing at the wrong level... maybe.
I think it'll stay backwards compatible with HTTP/1.1 so I am mostly OK with it, but, they are basically doing a lot of stuff at the HTTP layer that looks more like things you'd do at the TCP layer, such as layering multiple parallel requests in one TCP channel, having the server push assets, etc.
Something that makes me a little nostalgic for the old days, vs HTTP/2, is that in the old days the protocol was so simple that you could telnet to a webserver address at port 80, type some stuff, and get a response. Like..
Code:
% telnet foo.com 80
GET /test?id=1 HTTP/1.1
HOST: something.com
COOKIES: ...some cookie values or whatever
<enter>
<enter>
It was also easy to make very simple hand rolled tools that could act either as HTTP servers or clients, without making use of some rather-difficult-to-write libraries.
Like... when I was taking some class in college I wrote a webserver in bash. That's something you can do in HTTP/1 or 1.1 but probably not so easily in 2. Which is fine, as computers get more complicated, the tools probably have to get more advanced also. telnet doesn't even ship with most linux distros any more.