The Asia-Pacific Network Information Center (APNIC) tests the proliferation of HTTP/3 shortly after its introduction. The Internet Engineering Task Force (IETF) standardized the protocol in June 2022. HTTP/3 relies on the QUIC protocol developed by Google, which the IETF recognized as a standard in May 2021. APNIC has now presented the results in a blog post.
Test by test pixel
A test script within an advertisement revealed the results. The script caused the clients to download several 1*1 pixel elements to test their behavior. The testers used nginx web server version 1.12.7 with QUIC support for testing. Additionally, the URLs had domain names with an HTTPS resource record with the ALPN value for HTTP/3 (alpn=”h3″). An Alt-Svc: h3=”:443″ directive was used in the HTTP header to force the client to send requests over HTTP/3.
Scandinavia, Switzerland and UK global pioneers
Although 10 to 15 percent queried the HTTPS resource record for HTTP/3, only 1.5 percent of users actually used HTTP/3 for subsequent requests. Another interesting aspect is the distribution of QUIC usage by region. QUIC is already widespread in Denmark, Sweden, Norway, Great Britain and Switzerland, whereas Asia, Africa and South America hardly use the new protocol yet.
Mobile beats desktop, Firefox behind in the browsers
Since Google initially developed the QUIC protocol, it is not surprising that 47.7 percent of HTTP/3 requests came from Android clients. iOS devices were also high at 44.5 percent using HTTP/3 requests, while macOS was only 1.5 percent. On desktops, Windows led with 10 percent QUIC usage, while Linux clients used the protocol just 0.3 percent of the time. However, it should be mentioned that there must be a small calculation error in the associated table in the blog post. The overall percentage for HTTP/3 is 105 percent – so some inaccuracy is included.
The browsers used show a similar picture: 52.2 percent came from Chrome browsers and again 44.6 percent from Safari. Far behind is Mozilla Firefox with 2.2 percent. Almost unnotable was the use of HTTP/3 in Edge and Opera at 0.6 percent and 0.3 percent, respectively.
Do you already know the free iX newsletter? Register now and don’t miss anything on the monthly release date: heise.de/s/NY1E The next issue will be about the main topic of August-iX: professional hardware from Refurbisher.
Package sizes, stability and performance
The testers also evaluated the packet sizes in QUIC, for which a minimum size of 1200 bytes is specified; QUIC must not be fragmented. Apparently, the developers of the QUIC implementations were very conservative with the packet sizes: 46 percent of the QUIC transmissions only used the minimum 1200 bytes. Not a single connection exceeded a packet length of 1,357 bytes. However, this could also represent an inaccuracy due to the delivered content.
Many network veterans believe that QUIC is unusable on many networks due to its reliance on UDP. Contrary to this view, only 0.24 percent of the initial QUIC connections failed in the test.
There was also a performance comparison between HTTP/2 and HTTP/3 requests. This is exciting because HTTP/2 is built on top of TCP with a separate TLS handshake, and HTTP/3 is built on QUIC with a built-in TLS handshake. HTTP/3 was faster in two thirds of the test cases.
The performance advantages of QUIC and HTTP/3 indicate that the use of the protocols will also increase under Windows, macOS and Linux. In corporate networks in particular, this depends on whether the administrators of security systems allow outgoing connections from UDP/443 with QUIC and HTTP/3. Google and Apple seem to have come a long way when it comes to mobile operating systems. The IP and port switching properties of QUIC also have a very positive effect there during operation, since these end devices switch between networks particularly frequently.
In the discussion about the two protocols, however, researchers are skeptical as to whether there would be data protection problems with website fingerprinting with HTTP/3 and QUIC. The new protocols are also considered to be more CPU intensive than HTTP/2 with TCP and TLS. It is also questionable whether QUIC is really more resistant to attempts at censorship.
All information on the HTTP/3 test can be found in the APNIC blog, as well as the map on the current distribution of the new standard.