The next version of HTTP, as agreed upon by the Internet Engineering Taskforce, is going to make some big changes.
In its continued efforts to make Web networking faster, Google has been working on an experimental network protocol named QUIC: “Quick UDP Internet Connections.” QUIC abandons TCP, instead using its sibling protocol UDP (User Datagram Protocol). UDP is the “opposite” of TCP; it’s unreliable (data that is sent from one end may never be received by the other end, and the other end has no way of knowing that something has gone missing), and it is unordered (data sent later can overtake data sent earlier, arriving jumbled up). UDP is, however, very simple, and new protocols are often built on top of UDP.
QUIC reinstates the reliability and ordering that TCP has but without introducing the same number of round trips and latency. For example, if a client is reconnecting to a server, the client can send important encryption data with the very first packet, enabling the server to resurrect the old connection, using the same encryption as previously negotiated, without requiring any additional round trips.
I am ashamed to admit that I actually know remarkably little of how the core technologies underpinning the internet and the world wide web actually work. It’s apparently so well-designed and suited for its task that few of us ever really have to stop and think about how it all works – but when you do, it kind of feels like magic how all of our computers, smartphones, and other connected devices just talk to each other and every little packet of data gets sent to exactly the right place.
Sounds like a recipe for a Man in the Middle attack.
Also sounds like Google is setting itself up as the internet middle man.
You selectively quoted and the parts left out prevent the man in the middle attack.
Don’t see how that can prevent a man in the middle attack.
Don’t judge it based on the layman’s language used in the media coverage…
https://docs.google.com/document/d/1g5nIXAIkN_Y-7XJW5K45IblHd_L2f5LT…
There could be dragons there but it sounds FAR more resistant to MitM attacks than TLS is. At the very least it seems no worse at first blush.
It _is_ TLS. TLS V1.3, just approved, and vastly more secure than V1.2, including resistance to man in the middle attacks.
Having a Previously Shared Key, and with a slight reordering of the packets, a TLS connection can be established without any round trips.
A PSK is no more susceptible to MitM attacks, because it was established in an encrypted connection in the same fashion as if it were not to be shared. There are other limitations to PSKs, however, and we’ll se how much they are used in the end, especially now that with TLS 1.3 the delay to establish a fresh key has been halved to one round trip.
Posted in the wrong place!
Edited 2018-11-13 08:59 UTC
Just one word of that tells everything there is to know. “Google”!
F**k Google, we don’t need them controlling the internet or networking protocols!
This is sooooo f*cking stupid.
Its a protocol specification… So we should shit on good ideas because we don’t like the source now? This has nothing whatsoever to do with Google’s business model or practices, it just a better, faster version of HTTP (hopefully). I couldn’t give a shit less who came up with it if its an improvement.
Google already did the original design of HTTP/2 (aka SPDY), and about 30% of the internet is using it right now (that will almost certainly be 60% by end of next year). Every major browser supports it right now. So if you want to adhere to that warped worldview then Google already controls the internet and network protocols. How do you sleep at night? Are you planning to boycott?
Agreed. This is an engineering problem space and whilst there may be other forces in and around this, the likelihood of adverse intentions remaining the silk of secrecy, is effectively zero in my view.
Edited 2018-11-13 07:16 UTC
You are the foolish one, twonk!
You can continue to go all warm and moist every time Google is mentioned, I don’t. It’s an evil empire, always has been, same as every other corporation.
And yes I may boycott, I use nothing of theirs now and it does no harm!
what you said…. 🙂 amen.
“It’s apparently so well-designed and suited for its task…”
Actually not all the parts are so well-designed. There is an enormous overhead caused by establishing a connection anew every time a webclient fetches a piece of data for the puzzle of a webpage it is putting together.
As a user we don’t notice it because massive resources are thrown at it to make up for it.
Hence, probably, the effort to right that through a new protocol.
Hello, would you like to hear a TCP joke?
Yes, I’d like to hear a TCP joke.
OK, I’ll tell you a TCP joke.
OK, I’ll hear a TCP joke.
Are you ready to hear a TCP joke?
Yes, I am ready to hear a TCP joke.
OK, I’m about to send the TCP joke. It will last 10 seconds, it has two characters, it does not have a setting, it ends with a punchline.
OK, I’m ready to hear the TCP joke that will last 10 seconds, has two characters, does not have a setting and will end with a punchline.
I’m sorry, your connection has timed out… …Hello, would you like to hear a TCP joke?
Hello, would you like to hear a UDP joke?
You might not get it.
it I got
The123king,
Being pedantic, this is what your UDP joke should have been:
Edited 2018-11-14 02:04 UTC
Or perhaps:
HelloHeresaUDPjokeKnockKnock…
🙂
Now do one using QUIC
Hello, would you like to hear a…
Sure!
LoL!
I hope the fallback mechanism is absolutely foolproof because I suspect firewalls could be a problem in practice. I don’t like it at all, but unfortunately the internet is no longer ideal for non-TCP 80 protocols due in part to restrictive firewalls that bless HTTP on port 80 as a privileged protocol.
Also, due to the lack of public IP addresses, carrier grade NAT is the norm for most cellular traffic. Yet NAT translation in particular is not friendly to UDP because, unlike TCP, the NAT routers cannot identify when the “UDP Session” is terminated, therefor they have no choice but to apply arbitrary timeouts that break UDP sessions.
https://en.wikipedia.org/wiki/Carrier-grade_NAT
This can be such a pain because many UDP apps that work for me here often don’t work properly at my parent’s house because of NAT disconnects.
An example of this is I can place VOIP calls normally, but receiving them is usually not possible because by the time I receive a call the session at the NAT router that’s supposed to receive the call has already been terminated.
This can be mitigated if you are able to configure a fast keepalive, but it’s not so great for a phone’s battery life to keep waking up every several seconds to send keepalive packets.
Bah…internet technology needs a “reboot”.
Or… just roll out IPv6. My phone has a public v6 address. So does my NAS at home, albeit heavily firewalled. CGNAT is strictly a problem because of shitty legacy sites and vendors that won’t add v6 support to their customer facing ends.
tidux,
Sure. Idealism, meet real world. There’s still no broadband competition for my home offering IPv6.
A major problem with IPv6 if you do have it is that IPv6 connectivity between IPv6 backbone providers is broken / fragmented.
https://www.theregister.co.uk/2018/08/28/ipv6_peering_squabbles/
I tested a Hurricane Electric IPv6 tunnel (a free service they provide here https://tunnelbroker.net/ ) and sure enough, some IPv6 services are simply unreachable (including my own servers).
I was shocked when I learned this since I just assumed any public IPv6 address could connect to any other IPv6 address just like IPv4. It turns out the only way to be reachable throughout the IPv6 space today is to be multi-homed on multiple backbones, which can be prohibitively expensive. Multihoming can help performance and redundancy but is otherwise completely optional on the IPv4 side of things.
It was disheartening to learn this, it really really sucks for IPv6 and it’s been going on for well over a decade now. It’s just so frustrating. Many users won’t actually notice simply because they fallback to IPv4 (ie using carrier grade NAT) but man is it disappointing that core parts of our IPv6 infrastructure are still broken in 2018.
Edited 2018-11-14 02:57 UTC
Stuff like this makes me really sad that SCTP never really caught on. It already solves most of the same issues with TCP that QUIC does, without adding yet another layer into the equation.
ahferroin7,
I agree, it would have been a very nice upgrade over TCP & UDP.
https://en.wikipedia.org/wiki/Stream_Control_Transmission_Protocol
I always encounter this dilemma in my projects: “I keep solving the same problems over and over with TCP/UDP. I’d like to use SCTP for this”. But then reality hits me, it doesn’t work anywhere. Microsoft won’t even add it to windows.
Realistically it never had a shot, TCP & UDP are permanently ingrained in all of our edge gateway routers. All protocols from now on must be built on top of TCP/UDP. New transport layer protocols may have merit, but they’ll never have widespread acceptance needed for developers to support them.
And for that UDP is quite suitable. Next to the techincal pdfs and articles on the internet I read I cannot even remember when was the last time I read a regular “book”.
Mainly because there is no time for it, how will you read a book while driving, you listen audiobooks aka youtube.
But from watching we learn more according to the learning pyramid: https://goo.gl/images/s3BQRa
Books can be very monoton and boring, especially educational books.
The future of the web is clearly video content everywhere.
Maybe one day when we arrive to osnews a nice android voice will read us the news or plays some summary of the daily tech news as a video.
xfire,
Hmm, I think you’re on the wrong site for that kind of content, haha. I kind of figure most of us here are happier that osnews hasn’t jumped on the multimedia video extravaganza bandwagon. I look at many sites that did and feel it’s just way too ADHD for me. Mind you I could be wrong, what are other people’s opinions on this?
If I click to a site to learn something, and discover that information is contained in a video, I close the tab. Video is useless for me. It’s impossible to skim a video to see if it’s what you want, the fact that you have to manipulate a video with controls (that may be laggy and poorly implemented!) is annoying. I don’t have to hit pause to stop text.
And, site are making video just vastly more annoying. Scroll away, and the video pops up and overlays on text you’re trying to read! Who the fuck thought that was a good idea? It’s so infuriating.
Marketers and designers who have stopped listening and understanding how people behave and instead now just trying to blindly apply principles they’ve read in a glossy book.
Book sales a rising. https://www.bbc.co.uk/news/business-39718016“>Paper
More Internet video doesn’t mean less text. Why would it, after cinema, radio, TV, audio cassettes, VHS, etc. etc. failed to?
Not sure how they came up with that; what sort of information were they trying to show retention of?
I work with Braille. A blind person is said to have far higher retention reading Braille than listening to an audiobook of the same material. This is said to mirror a sighted person’s experiences with print.
Its to do with reading being a comparable active experience when compared with the automatically unfolding audiovisual experience.
I don’t have sources immediately to hand, but could probably dig them up if they’re of interest.
Great. Now no one will try to consume a text in it’s entirety and background information from context, and instead rely solely on 10 seconds in the start or middle of the video to infer everything about the person’s point, knowledge and politics. And it doesn’t matter if the inference is wrong, because we’re tech people and not beholden to the “critical thinking” that we complain is lacking in non-tech people.
I dunno…
Some of this seems sorta dodgy from a security perspective like saving security states on connections for later use.
That is a huge no no where I come from.
There wasn’t any mention who is going to feel like rewriting most of the internet.
Web code is expensive.
That’s what I said too. But some people here are saying it’s okay.
I used to share this video with my friends in college to simplify the know-how network works. Hope it helps a bit.
https://youtu.be/n7mtJ3ZV6xM