Theory
HTTP vs. HTTPS: The Protocol Evolution
📋 Overview
HTTP (HyperText Transfer Protocol) and its secure counterpart, HTTPS, are the backbone of web communication. Over the last decade, the protocol has evolved from the text-based HTTP/1.1 to the binary, multiplexed HTTP/2, and finally to the UDP-based HTTP/3, each iteration aimed at reducing latency and solving transport-layer bottlenecks.
🏗️ Core Principles & Characteristics
- HTTP/1.1: Text-based, serial processing. Suffers from Application-layer Head-of-Line (HoL) blocking.
- HTTP/2: Binary framing layer. Introduces Multiplexing (multiple streams over one TCP connection) and Header Compression (HPACK).
- HTTP/3 (QUIC): Replaces TCP with QUIC (over UDP). Solves TCP-layer HoL blocking by making streams independent at the transport level.
- HTTPS (TLS): Wraps HTTP in a Transport Layer Security tunnel, providing Encryption (Privacy), Authentication (Identity), and Integrity (No tampering).
⚖️ Trade-offs: Pros & Cons
- HTTP/2 Pros: Significant speed boost via multiplexing and server push.
- HTTP/2 Cons: On high-loss networks (mobile), a single lost packet stalls all multiplexed streams due to TCP's internal mechanics.
- HTTP/3 Pros: Zero Round-Trip Time (0-RTT) handshakes; seamless transition between Wi-Fi and mobile data (Connection Migration).
- HTTP/3 Cons: UDP is often throttled or blocked by older enterprise firewalls; higher CPU overhead for QUIC processing.
🌍 Real-World Implementation
- TLS 1.3: The modern standard that reduces the handshake from 2 round-trips to 1, significantly lowering TTFB (Time to First Byte).
- HSTS (Strict Transport Security): A header that forces browsers to use HTTPS, preventing "man-in-the-middle" downgrades.
- ALPN (Application-Layer Protocol Negotiation): How a client and server decide whether to use HTTP/1.1, 2, or 3 during the TLS handshake.
💡 Interview "Gotchas" & Tips
- Multiplexing isn't magic: In HTTP/2, it solves the "6 connections per domain" limit but doesn't solve packet loss latency. Only HTTP/3 (QUIC) fixes the packet loss issue.
- 0-RTT Security: While fast, TLS 1.3's 0-RTT is vulnerable to Replay Attacks. Servers must implement specific protections to handle this.
- Keep-Alive: Distinguish between HTTP Keep-Alive (reusing a connection for multiple requests) and TCP Keep-Alive (checking if the connection is still alive).
📐 Suggested Architecture Primitives
- Reverse Proxy (Nginx/Envoy): For TLS termination and protocol upgrading.
- CDN: To offload the heavy TLS handshake closer to the user.
- Certificate Authority (Let's Encrypt): For automated SSL/TLS certificate management.
- QUIC/UDP Listeners: Required for HTTP/3 support.
Canvas