HTTP3 / QUIC is now enabled

Firefox just pushed this in Firefox 88 and you do have to go into about:config search for the http3 options and enable it... but it's there.

So I've turned on HTTP3 for LFGSS.

What does this mean for you?

Erm... it's faster?

HTTP3 is basically UDP rather than TCP and the history goes like this:

1. HTTP 1 = TCP, want to make multiple concurrent requests? OK let's open multiple connections to the server.
   
2. HTTP 2 = TCP, want to make multiple concurrent requests? OK, let's open 1 connection to the server and then multiplex within the single connection, oh... those large files are holding up those small files, can't help there.
   
3. HTTP 3 = UDP, want to make multiple concurrent requests? OK, let's open a non-blocking UDP connection to the server, multiplex within that, and because it's a spray and pray then no files are being held up.
   
   

Something like that (read the RFCs if you care enough).

What does it mean for the site?

If you frequently go into threads with lots of attachments... those threads will be noticeably faster.

What are the risks?

Erm... it's hard to stop a layer 3 DDoS attack based on UDP packets due to how HTTP3 is also encrypted for everything and the encryption means DDoS providers struggle to differentiate between good and bad traffic. Not so bad for this site as the connection identifier encoded in the packets are known, but bad for transit providers where everything is meaningless. But I don't care about that :D

tl:dr If you use latest Chrome or Firefox (with HTTP3 enabled) then big threads with lots of images will load faster.

What about the chromium based browsers?

They may have merged it.

https://www.lfgss.com/cdn-cgi/trace

Look for:
http=http/3

Nice (from Chrome)

fl=21f592
h=http://www.lfgss.com
ip=213.205.xxx.xxx
ts=1618935526.419
visit_scheme=https
uag=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36
colo=LHR
http=http/3
loc=GB
tls=TLSv1.3
sni=plaintext
warp=off
gateway=off

Sadly QUIC is blocked at work because InfoSec can't decrypt it and pass it through their expensive threat analysis appliance.

They're going to hate the future 😁

But thankfully http3 falls back to http2

Eventually the appliance vendors will catch up and add QUIC proxy/MITM support. Probably.

They can't.

The protocol explicitly includes features to prevent state level MITM. So appliances in the workplace are fucked.

Together with other measures in TLS and DNS there's nothing that those legacy appliances can do.

Work authorised browsers would the only way to MITM, perhaps with browser certifying itself to force you to use it... But now it isn't a transparent MITM as the browser is just an authorised client.

The MITM we already do isn't transparent as we resign everything with our own CA. It's not very different to a proxy in many ways and there are things that claim to proxy QUIC about already.