HTTP/3 Cover Giacomo Lanzi

HTTP / 3, everything you need to know about the latest version protocol

Estimated reading time: 5 minutes

Security researchers have just digested the HTTP / 2 protocol, but web innovators are already publishing an update: HTTP / 3. This technology offers performance gains and security benefits, but only if we overcome the implementation problems that await us for what appears to be an evolutionary change rather than a real revolution in the way the web works.

In this article I will try to clarify what the new HTTP / 3 protocol is, what its features are and how you can implement them to your web hosting through Cloudflare with the services offered by SOD. < / p>

HTTP/3 fast network

What is HTTP/3 in detail

HTTP / 3 is a major update of the HyperText Transfer Protocol (HTTP), the technology that underlies the transfer of information on the web. HTTP / 3 runs on QUIC, an encrypted general transport protocol that “bundles” multiple data streams on a single connection.

QUIC was initially developed by Google and uses congestion control on User Datagram Protocol (UDP).

What is the relationship with HTTP/2?

HTTP / 2 has brought some improvements through non-blocking download technology, pipelining and server push that help overcome some limitations of the underlying TCP protocol HTTP / 2 as well as HTTP. Basically, with HTTP / 2 we can minimize the number of request – response cycles between client and server .

HTTP / 2 made it possible to send more than one resource on a single TCP connection, a process called multiplexing . The protocol provides greater flexibility in the order of static downloads and pages are no longer constrained by a linear progression of downloads.

It is possible to think of HTTP / 3 as the previous protocol which instead of using TCP for the transfer, uses QUIC, the protocol we mentioned above.

The benefits of the new protocol

The move to QUIC goes a long way towards solving one of the major HTTP/2 problems , namely “head of line blocking”, literally blocking the beginning of the line .

Since the parallel nature of HTTP/2 multiplexing is not visible to TCP’s loss recovery mechanisms, a lost or reordered packet causes all active transactions to stall , regardless of the whether or not a particular transaction was affected by the lost packet.

Since QUIC provides native multiplexing , lost packets only impact the streams in which the data was affected . The practical effect of upgrading to HTTP/3 is to reduce the latency of poor internet connections or frequent packet losses.

Furthermore, QUIC is almost entirely encrypted, which means that security is significantly improved with HTTP/3 . This built-in encryption means fewer opportunities for MitM ( manipulator-in-the-middle ) attacks. QUIC also includes other features that help protect against denial of service (DoS) exploits, which we discussed in another article in relation to ransomware.

QUIC combines its encrypted handshake and transport to allow connection to a new server in a single request . The same technology allows you to quickly resume a broken connection with the client sending encrypted application data in the first interaction. The protocol uses TLS 1.3 as a building block in its encrypted handshake.

Support for the new protocol

As of March 2021, the HTTP/3 protocol is still a standard draft and already has multiple implementations. Currently around 14.3% of the 10 million websites in existence support HTTP/3. For comparison, HTTP/2 is supported by 50.5% of platforms. Data source is W3Techs .

As far as browsers are concerned, the protocol is supported by stable versions of Chrome in a non-default way (from December 2019) and by Firefox (from January 2020).

HTTP/3 Secure connections

The benefits of introducing HTTP/3

HTTP/3 should offer faster load times and better performance for websites, particularly on networks prone to frequent packet loss, than previous technologies.

Achiel van der Mandele, Cloudflare product manager explained: “ In a nutshell, we believe that HTTP/3 will make the internet better for everyone . HTTP/3 is the successor to HTTP/2, which offers better performance when loading websites.

“HTTP/3 users will benefit from faster connection setup and better performance on poor quality networks with high amounts of packet loss. Both of these improvements ensure that websites are load faster and more reliably, “Mandele told The Daily Swig .

Web protocol expert Robin Marx was more cautious about the benefits of HTTP/3:

“Performance should also benefit, albeit not by much in practice,” he said. “Removing the head-of-line block doesn’t matter that much for [things like] loading web pages.

“Most of the gains will come from shorter handshake setup times,” he explained, adding that HTTP/3 and QUIC are “an evolution, not a revolution” .

“Performance will be better, but not in a super noticeable way for things like web browsing,” Marx said. “ Security should be better and protect against different types of attacks “. ( Source )

Availability of the protocol

As we have seen, the new HTTP / 3 transfer protocol could be a notable evolution in security rather than performance, where it will significantly excel in setting handshakes . Not all hosting services are currently able to offer support for the new protocol.

We at SOD offer this through Cloudflare, our partner for CDNs. In our web hosting service it is possible to enable CDN for free and then set up support for the new HTTP / 3 via the Cloudflare panel itself.

For more information, do not hesitate to contact us, we will be happy to answer any questions.

Contattaci

Useful links:

Useful links:

CloudFlare

Install a Let’s Encrypt certificate on Debian based machine

Share


RSS

RSS feed

More Articles…

Categories …

Tags

Acronis Cloud Backup BaaS Backup cloud cloud computing Cloud Conference cloud provider reggio emilia cloud server cloud services CTI cyber security cyber security cyber threat Cyber Threat Hunter Data Exfiltration GDPR Machine Learning Monitoraggio infrastruttura ICT Next Generation SIEM nextgen siem online hosting owncloud owncloud pentest Phishing Plesk Ransomware Ransomware security server virtuale sicurezza siem Smart Working SOAR SOCaaS Threat intelligence UEBA VDS Virtual Machine vps vulnerability assessment web hosting webinar Zabbix Zabbix as a Service

RSS Unknown Feed

RSS Full Disclosure

  • iOS Activation Flaw Enables Pre-User Device Compromise and Identity Exposure (iOS 18.5) July 1, 2025
    Posted by josephgoyd via Fulldisclosure on Jun 30Title: iOS Activation Flaw Enables Pre-User Device Compromise Reported to Apple: May 19, 2025 Reported to US-CERT: May 19, 2025 US-CERT Case #: VU#346053 Vendor Status: Silent Public Disclosure: June 26, 2025 ------------------------------------------------------------------------ Summary ------------------------------------------------------------------------ A critical vulnerability exists in Apple’s iOS activation pipeline that allows...
  • Remote DoS in httpx 1.7.0 – Out-of-Bounds Read via Malformed <title> Tag June 26, 2025
    Posted by Brian Carpenter via Fulldisclosure on Jun 25Hey list, You can remotely crash httpx v1.7.0 (by ProjectDiscovery) by serving a malformed tag on your website. The bug is a classic out-of-bounds read in trimTitleTags() due to a missing bounds check when slicing the title string. It panics with: panic: runtime error: slice bounds out […]
  • CVE-2025-32978 - Quest KACE SMA Unauthenticated License Replacement June 24, 2025
    Posted by Seralys Research Team via Fulldisclosure on Jun 23 Seralys Security Advisory | https://www.seralys.com/research ====================================================================== Title: Unauthenticated License Replacement Product: Quest KACE Systems Management Appliance (SMA) Affected: Confirmed on 14.1 (older versions likely affected) Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5), 14.1.101(Patch 4) Vendor: Quest Software Discovered: April...
  • CVE-2025-32977 - Quest KACE Unauthenticated Backup Upload June 24, 2025
    Posted by Seralys Research Team via Fulldisclosure on Jun 23 Seralys Security Advisory | https://www.seralys.com/research ====================================================================== Title: Unauthenticated Backup Upload Product: Quest KACE Systems Management Appliance (SMA) Affected: Confirmed on 14.1 (older versions likely affected) Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5), 14.1.101(Patch 4) Vendor: Quest Software Discovered: April 2025...
  • CVE-2025-32976 - Quest KACE SMA 2FA Bypass June 24, 2025
    Posted by Seralys Research Team via Fulldisclosure on Jun 23 Seralys Security Advisory | https://www.seralys.com/research ====================================================================== Title: 2FA Bypass Product: Quest KACE Systems Management Appliance (SMA) Affected: Confirmed on 14.1 (older versions likely affected) Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5), 14.1.101(Patch 4) Vendor: Quest Software Discovered: April 2025 Severity: HIGH...
  • CVE-2025-32975 - Quest KACE SMA Authentication Bypass June 24, 2025
    Posted by Seralys Research Team via Fulldisclosure on Jun 23 Seralys Security Advisory | https://www.seralys.com/research ====================================================================== Title: Authentication Bypass Product: Quest KACE Systems Management Appliance (SMA) Affected: Confirmed on 14.1 (older versions likely affected) Fixed in: 13.0.385, 13.1.81, 13.2.183, 14.0.341(Patch 5), 14.1.101(Patch 4) Vendor: Quest Software Discovered: April 2025 Severity:...
  • RansomLord (NG v1.0) anti-ransomware exploit tool June 24, 2025
    Posted by malvuln on Jun 23First official NG versioned release with significant updates, fixes and new features https://github.com/malvuln/RansomLord/releases/tag/v1.0 RansomLord (NG) v1.0 Anti-Ransomware exploit tool. Proof-of-concept tool that automates the creation of PE files, used to exploit ransomware pre-encryption. Lang: C SHA256: ACB0C4EEAB421761B6C6E70B0FA1D20CE08247525641A7CD03B33A6EE3D35D8A Deweaponize feature PoC video:...
  • Disclosure Yealink Cloud vulnerabilities June 24, 2025
    Posted by Jeroen Hermans via Fulldisclosure on Jun 23Dear all, ---Abstract--- Yealink RPS contains several vulnerabilities that can lead to leaking of PII and/or MITM attacks. Some vulnerabilities are unpatched even after disclosure to the manufacturer. ---/Abstract--- We are Stefan Gloor and Jeroen Hermans. We are independent computer security researchers working on a disclosure process […]
  • : "Glass Cage" – Zero-Click iMessage → Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885) June 18, 2025
    Posted by josephgoyd via Fulldisclosure on Jun 17"Glass Cage" – Sophisticated Zero-Click iMessage Exploit ChainEnabling Persistent iOS Compromise and Device Bricking CVE-2025-24085, CVE-2025-24201(CNVD-2025-07885) Author: Joseph Goydish II Date: 06/10/2025 Release Type: Full Disclosure Platform Affected: iOS 18.2 (confirmed zero-day at time of discovery) Delivery Vector: iMessage (default configuration) Impact: Remote Code Execution, Privilege Escalation, Keychain […]
  • SEC Consult SA-20250612-0 :: Reflected Cross-Site Scripting in ONLYOFFICE Docs (DocumentServer) June 18, 2025
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Jun 17SEC Consult Vulnerability Lab Security Advisory < 20250612-0 > ======================================================================= title: Reflected Cross-Site Scripting product: ONLYOFFICE Docs (DocumentServer) vulnerable version:

Customers

Newsletter

{subscription_form_1}
Products and Solutions
Partners
Cloud Models
News
Google Reviews
Secure Online Desktop s.r.l.
4.9
Based on 37 reviews
powered by Google
review us on
Omid Fazeli
06:59 20 Apr 18
They have a lot of solutions for any kind of business. Lower prices than many others. The support service is always active and efficient.
See All Reviews
Facebook
Secure Online Desktop s.r.l.
Secure Online Desktop s.r.l.
5.0
Based on 12 reviews
powered by Facebook
review us on
Paolo Raimondi
Paolo Raimondi
11:06 21 Apr 18
La Polimatica Progetti Srl, azienda di... cui sono titolare, collabora con soddisfazione da alcuni anni con Secure Online Desktop. L'Azienda è costituita da professionisti seri e competenti. Insieme a loro abbiamo costruito un sistema organizzato di soluzioni ICT, servizi e attività di consulenza per la compliance alla normativa in materia di protezione dei dati personali (GDPR).read more
Ilaria Miglietta
Ilaria Miglietta
04:16 21 Apr 18
Servizi affidabili e di semplice... utilizzo. I loro tecnici molto attenti alle esigenze del cliente, continuate cosìread more
Francesca Marastoni
Francesca Marastoni
11:41 20 Apr 18
Excellent service company with... wonderful stuff. Highly recommended.

Ottima azienda, servizi molto utili, staff qualificato e competente. Raccomandata!read more
Alessio Liga
Alessio Liga
08:25 20 Apr 18
Servizi di alto livello, competenti e... disponibili a accettare nuove sfide per sviluppare business
Ottimo supportoread more
Matteo Revelli
Matteo Revelli
22:39 19 Apr 18
Ottima azienda, offre servizi di alta... qualità con personale competente e disponibile.read more
Lorenzo Munari
Lorenzo Munari
16:25 19 Apr 18
Azienda molto seria e... affidabile.

E' un piacere poter collaborare con realtà di questo tiporead more
Francisco Amadi
Francisco Amadi
10:41 19 Apr 18
Ho avuto il piacere di collaborare con... loro e spero vivamente che succeda di nuovo. Competenti, professionali, precisi e cordiali!read more
Davide Michelotto
Davide Michelotto
07:42 19 Apr 18
Ottimo servizio, seri professionisti al... timone della società e celerità nei tempi di risposta, oltre ogni aspettativa.read more
Gabriele Petralia
Gabriele Petralia
12:28 18 Apr 18
Luca Prati
Luca Prati
10:12 18 Apr 18
Azienda eccellente, consulenza... customizzata e puntuale.
Un ottimo fornitore.
Io personalmente ho parlato con l' Ing. Venuti, valore aggiunto indubbiamente.read more
Valerio Lezza
Valerio Lezza
21:35 17 Apr 18
Daniela Cospito Di Leo
Daniela Cospito Di Leo
21:20 17 Apr 18
More Reviews
js_loader
payments gateway
About