The HTTP (Hypertext Transfer Protocol) protocol, the cornerstone of the Web, is undergoing its biggest change in almost a decade. A new version, HTTP/3 (or H3), is being rapidly implemented, and it brings important changes that result in more security and performance for your web services and applications.
In this article, we’ll explore one of the main aspects of HTTP/3: security. We’ll detail how the new protocol helps protect your applications from increasingly present threats.
The 5 Main Security Benefits of HTTP/3
Encrypted by Default
The QUIC network protocol, on top of which HTTP/3 is implemented, is designed to be secure by default. QUIC uses the Transport Layer Security (TLS) 1.3 encryption protocol from the start, which means that all HTTP/3 traffic is always encrypted. In contrast, previous versions of HTTP could be used with or without encryption, with the HTTPS prefix in the URL indicating the use of the secure version.
This encryption includes the actual data, headers, and connection metadata. This reduces the risk of man-in-the-middle attacks, in which attackers exploit the absence of encryption to intercept or modify communications between two parties.
Protection Against Common Vulnerabilities
QUIC is designed to protect against several common web vulnerabilities. For example, it includes built-in protection against some types of DDoS attacks, such as amplification attacks, in which a small request is turned into a much larger payload to overwhelm a server.
QUIC also mitigates the risk of connection hijacking by including security features that verify the integrity of the connection and the data being transferred. This makes it more difficult for attackers to inject malicious data or take control of a web session.
Improved Handshake and Lower Latency
QUIC improves the traditional TLS handshake process by combining the transport layer handshake with the TLS handshake, which reduces the number of round-trip times (RTTs) required to establish a secure connection.
This not only speeds up the connection setup but also limits the window of opportunity for attackers to interfere with the handshake process, as it gives them less time to compromise the connection configuration.
TLS 1.3 also supports a feature called 0-RTT Session Resumption that, roughly speaking, allows a client to “skip the formalities” and reuse previously negotiated keys when initiating a connection with a server that has been accessed recently. This means that the handshake process does not need to be restarted from scratch, and data transfer can begin more quickly.
Diagram comparing the negotiation of a secure connection on HTTP/2 and HTTP/3
Lower Risk of Protocol Downgrade Attacks
Protocol downgrade attacks occur when an attacker forces a connection to use an older and less secure version of a protocol. For example, an attacker might try to force a client to use HTTP/1.1 instead of HTTP/3, which is more secure.
With HTTP/3, the risk of these attacks is significantly reduced. Because QUIC is built with the latest security standards in mind, including mandatory TLS 1.3, it does not support obsolete encryption or handshake protocols, which are often the preferred targets for downgrade attacks.
This means that an attacker cannot force an HTTP/3 connection to use a less secure protocol. This helps to protect user data and ensure that communications are private and confidential.
Improved Support for Connection Migration and IP Spoofing Prevention
The QUIC protocol includes a feature that allows connections to survive changes in the client’s IP address, known as connection migration. This is particularly useful for mobile devices, for example, that can frequently switch from a Wi-Fi connection to one using a cellular network.
Each QUIC connection is identified by a unique and secure connection ID, and not just by the combination of IP addresses and ports. This reduces the risk of IP spoofing attacks, in which an attacker pretends to be another user by falsifying the IP address in the packet headers. The secure connection ID ensures that even if the IP address changes, the connection remains associated with the correct client.
HTTP/3 at Azion
The modern edge computing platform at Azion leverages the benefits of HTTP/3. With over 100 edge locations worldwide, it ensures fast content delivery to your customers, and security features like our sophisticated WAF protect your applications, including legacy ones, against today’s major threats, quickly and without the need to modify code.
HTTP/3 support is already available to all users of our platform, and can be enabled at no extra cost. To do this, simply activate the “Support HTTP/3” option when creating an application (or in the settings of an existing one).
This feature can be enabled without fear of compatibility issues, as all major web browsers already support the new protocol. If a non-compatible client attempts to establish a connection, it will transparently fall back to HTTP/2. If you have any doubts, consult our documentation.
You just need to toggle a switch in your application’s properties to enable HTTP/3 support.
Conclusion
As we discussed earlier, the arrival of HTTP/3 marks the emergence of a new generation of faster and safer web applications. The combination of QUIC and TLS 1.3 raises the bar of protection by eliminating vulnerabilities from previous versions and offering advanced features against modern attacks.
The more agile handshake, mandatory encryption, and resilience to IP changes ensure more secure and robust connections, protecting sensitive data and improving the user experience, especially in increasingly popular mobile connections.
This is just the beginning of the HTTP/3 story. We will continue to follow the evolution of this important protocol and the positive impacts it brings to web security. Join us on this journey, and enable HTTP/3 support in your applications too. Talk to our experts to learn more.