[HN Gopher] Evolution of HTTP
___________________________________________________________________
Evolution of HTTP
Author : divbzero
Score : 75 points
Date : 2022-10-14 10:23 UTC (1 days ago)
(HTM) web link (developer.mozilla.org)
(TXT) w3m dump (developer.mozilla.org)
| bullen wrote:
| The ONLY thing that has been constantly broken for 20 years is
| HTTPS.
|
| HTTP2+ IS HTTPS.
|
| And it's the opposite of secure.
|
| Use this over HTTP/1.1 instead:
| https://datatracker.ietf.org/doc/html/rfc2289
| RunSet wrote:
| or:
|
| "An argument for Gemini."
|
| https://en.wikipedia.org/wiki/Gemini_(protocol)#Design
| yoro46 wrote:
| How exactly does linking a Wikipedia page to some minimalist
| cult's redesign of Gopher present an argument for Gemini?
| [deleted]
| woodruffw wrote:
| I've tried to drum up my own interest in Gemini, but it feels
| very NIH.
|
| Given that you can serve plaintext (or barebones HTML) over the
| Web and that every browser will _still_ happily speak HTTP /1.0
| or even HTTP/0.9, I don't understand the draw (other than the
| nostalgic aesthetic).
| 0x445442 wrote:
| Yeah, I think a distinction needs to be made between
| bastardized JS laden applications and documents with embedded
| rich media. It's interesting the four bullet points in the
| link all mention documents but HTTP hasn't been about
| documents for a long time.
| Cyberdog wrote:
| A while back I hammered out an idea I call KyuWeb, which
| specifies a document-based web using existing standards like
| HTTP and reinvents as few wheels as possible. I haven't had
| time/skill to hammer out a complete client implementation
| yet, but I enjoy hearing feedback from people who have looked
| over the specification. Have a look and see if it's to your
| taste: https://github.com/GarrettAlbright/KyuWeb
| ainar-g wrote:
| From my understanding, the draw is to "start over" and create
| a completely new hypertext ecosystem where script-heavy
| advertising-laden sites just aren't technically possible. Or,
| at the very least, extremely impractical. It's a moonshot,
| but I guess that's one of the reasons they called it Gemini,
| heh.
| chrismorgan wrote:
| HTTP/0.9 died long ago. Chromium shows an
| ERR_INVALID_HTTP_RESPONSE error page, and Firefox renders the
| response body as preformatted plain text rather than as HTML.
| peoplefromibiza wrote:
| no JS
|
| no trackers or ads
|
| no need for a CA
|
| it's much easier to create a browser for it, it's in fact
| something a single developer can do in a weekend project
|
| it's not controlled by any corporation
| notriddle wrote:
| It mostly only solves problems on the consumer side. Only
| one of these downsides directly affects publishers.
|
| * If you don't want JS, don't use it.
|
| * If you don't want trackers or ads, don't put them in.
|
| * This is the only publisher-touching downside, and
| LetsEncrypt is an effective mitigation.
|
| * If you want to make a site Lynx-compatible, test it in
| Lynx.
|
| * The downsides of this are too diffuse to immediately
| drive demand. Nobody is directly impacted by it.
| peoplefromibiza wrote:
| > Only one of these downsides directly affects
| publishers.
|
| on the client side it ensures that JS, ADS, trackers etc
| won't be there and the client can bet there will be no
| surprise
|
| Gemini is the equivalent of "make the impossible states
| impossible"
|
| The best a malevolent publisher can do is look at the
| logs, because not even the transparent pixel is allowed.
|
| It's worth pointing out that the goal of Gemini is not to
| replace the WEB and that it it is still possible to
| publish pure HTML web sites with the same characteristics
| (but for how long?)
|
| also Gemini has no headers so no cookies, that, depending
| on the platform, could be out of the control of the
| publisher.
|
| I am working (slowly) on some Gemini project
|
| Mainly because there is no money involved in it and
| monetisation is not a thing.
|
| Gemini, for example, makes it really easy to build search
| engines that actually work and cannot be weaponized
| against their users
|
| Because the protocol is so limited that it's impossible,
| or highly impractical, to follow that route (no money
| also means no incentive)
| tsimionescu wrote:
| It doesn't do most of the things we use the WWW for.
| krapp wrote:
| That's supposed to be the point. Gemini is the techie
| version of running off into the woods to join an anarcho-
| primitivist commune or an aescetic monastery.
| peoplefromibiza wrote:
| being limited is one of the selling points of Gemini.
| superkuh wrote:
| >The next major version of HTTP, HTTP/3, will use QUIC instead
| TCP/TLS for the transport layer portion.
|
| What an odd way of phrasing it. It should be, "The next major
| version of HTTP, HTTP/3, will be QUIC and so drop TCP for UDP and
| _require_ CA based TLS for every single connection. Regular
| connections not requiring a third party corporation to approve
| will be impossible. "
| tialaramex wrote:
| This isn't a change from the status quo. HTTP/2 is in practice
| only used over TLS.
| jen20 wrote:
| It's also commonly used over domain sockets without TLS for
| gRPC. Practically I'm not sure that QUIC makes a huge amount
| of different for public services endpoints though, you're
| right.
| masklinn wrote:
| > What an odd way of phrasing it. It should be, "The next major
| version of HTTP, HTTP/3, will be QUIC"
|
| No?
|
| Http/3 is one application of quic, but sits on top of it.
|
| That's why it has a separate RFC, which explains that:
|
| > While delegating stream lifetime and flow-control issues to
| QUIC, a binary framing similar to the HTTP/2 framing is used on
| each stream. Some HTTP/2 features are subsumed by QUIC, while
| other features are implemented atop QUIC.
|
| While google did design QUIC with HTTP in mind, you can use
| QUIC for other protocols e.g. Microsoft has shipped SMB on QUIC
| in Windows Server 2022. MS also supports direct QUIC uses on
| Xbox Series consoles and has a guide to use MsQuic with the
| GDK.
| iforgotpassword wrote:
| > MS also supports direct QUIC uses on Xbox Series consoles
|
| This is so fucking ridiculous. Tried writing my first android
| app a few months ago, and for reasons wanted to do QUIC. I
| was absolutely sure this was going to be a no-brainer, as
| Google more or less being the inventor of it, or at least a
| very strong proponent, must have made quic a first class
| citizen of Android and its SDK years ago now. I mean, all
| _their_ apps use it. Imagine how much in disbelief I was when
| I learned there is nothing available, except a library that
| wraps Chrome 's network engine and let's you use http3 over
| quic, but not quic directly. You'd have to fiddle with using
| a 3rd party native lib and some bindings and whatnot, so I
| just deleted Android studio and went for a walk. Yes I'm
| still bitter.
| [deleted]
| tenebrisalietum wrote:
| You can make a self-signed CA certificate any time you want,
| and anything with a browser will let you import it AFAIK. This
| can be locked down on corporate Windows machines via Group
| Policy, so this really only affects computers already behind
| myriad layers of HTTP security layer gunk. You'll just have to
| access your home streaming server from your phone over the
| guest Wi-Fi.
| judge2020 wrote:
| If only browsers could read/install third party certificate
| authorities, then you could do crazy things like serve an
| internal domain securely via a certificate you generated
| yourself, assuming the users agree to install your CA - or
| better yet, you could be an enterprise purchasing computers for
| your employees with the CA preloaded. Of course, that's not
| possible right now.
| n3t wrote:
| Can one create a CA with a limitation to `*.example.com`?
|
| Or can one install an arbitrary CA and limit it to
| `*.example.com`?
| zamadatix wrote:
| Name Constraints allow for this.
| Macha wrote:
| Just be aware that support in non-browser software is not
| so widespread and for something which doesn't understand
| the extension, it's still effectively a global CA if
| installed
| jeffparsons wrote:
| Be that as it may, this still doesn't seem like the big
| deal that so many people are making it out to be. Support
| for HTTP/1.1 and HTTP/2 won't be going anywhere fast, so
| legacy software can keep doing what it's always done,
| can't it?
|
| HTTP/3 can be for people/applications that value what is
| has to offer, and can largely be ignored otherwise.
| midasuni wrote:
| Name constraints allow it, if be happier if I could import
| a certificate and set my own constraints in the certificate
| manager - "I trust this for all *.bigcorp.com domains but
| not for mybank.com"
| tialaramex wrote:
| If you don't care about older software, in particular older
| Macs, yes, you can proceed as follows:
|
| 1. Make CA #1 2. Make CA #2, have CA #1 sign (a certificate
| for) this CA with a constraint saying it is valid only for
| DNS names in example.com and nothing else 3. Destroy CA #1
| irrevocably 4. Trust CA #1 in your browser or other relying
| party software 5. You can now use CA #2 to issue with your
| constraint.
|
| If you care only about specific web browsers, you can
| modify the browser software (this is practical for Firefox
| and to some extent Chromium) to alter its built-in trust
| semantics to give you chosen CA different constraints.
| Firefox ships with constraints for a handful of CAs which,
| in Mozilla's opinion, can be afforded such limited trust so
| you can model your changes on how that works.
| https://wiki.mozilla.org/CA/Additional_Trust_Changes
| kevin_thibedeau wrote:
| Firefox runs its own cert store so you can do precisely this.
| lol768 wrote:
| I think you missed the sarcasm.
| rektide wrote:
| I happen to be watching Steve Sanderson's _Why web tech is like
| this_ presentation, which has some early history, runs the
| original TBL projects. Might be fun for some interested in HTTP
| 's (and a lot of other web tech, HTML/CSS/JS's) evolution:
| https://www.youtube.com/watch?v=3QEoJRjxnxQ
| yibberish wrote:
| clumsysmurf wrote:
| I long while back, there was a book called HTTP: The Definitive
| Guide. Is there anything like it that is current?
| ShamelessC wrote:
| I'm assuming the linked article didnt quite do it for you
| or...?
___________________________________________________________________
(page generated 2022-10-15 23:01 UTC)