SYS ARCHITECTLearning Platform
Settings
Theory

HTTP vs. HTTPS: The Protocol Evolution

📋 Overview

HTTP (HyperText Transfer Protocol) and its secure counterpart, HTTPS, are the backbone of web communication. Over the last decade, the protocol has evolved from the text-based HTTP/1.1 to the binary, multiplexed HTTP/2, and finally to the UDP-based HTTP/3, each iteration aimed at reducing latency and solving transport-layer bottlenecks.


🏗️ Core Principles & Characteristics

  • HTTP/1.1: Text-based, serial processing. Suffers from Application-layer Head-of-Line (HoL) blocking.
  • HTTP/2: Binary framing layer. Introduces Multiplexing (multiple streams over one TCP connection) and Header Compression (HPACK).
  • HTTP/3 (QUIC): Replaces TCP with QUIC (over UDP). Solves TCP-layer HoL blocking by making streams independent at the transport level.
  • HTTPS (TLS): Wraps HTTP in a Transport Layer Security tunnel, providing Encryption (Privacy), Authentication (Identity), and Integrity (No tampering).

⚖️ Trade-offs: Pros & Cons

  • HTTP/2 Pros: Significant speed boost via multiplexing and server push.
  • HTTP/2 Cons: On high-loss networks (mobile), a single lost packet stalls all multiplexed streams due to TCP's internal mechanics.
  • HTTP/3 Pros: Zero Round-Trip Time (0-RTT) handshakes; seamless transition between Wi-Fi and mobile data (Connection Migration).
  • HTTP/3 Cons: UDP is often throttled or blocked by older enterprise firewalls; higher CPU overhead for QUIC processing.

🌍 Real-World Implementation

  • TLS 1.3: The modern standard that reduces the handshake from 2 round-trips to 1, significantly lowering TTFB (Time to First Byte).
  • HSTS (Strict Transport Security): A header that forces browsers to use HTTPS, preventing "man-in-the-middle" downgrades.
  • ALPN (Application-Layer Protocol Negotiation): How a client and server decide whether to use HTTP/1.1, 2, or 3 during the TLS handshake.

💡 Interview "Gotchas" & Tips

  • Multiplexing isn't magic: In HTTP/2, it solves the "6 connections per domain" limit but doesn't solve packet loss latency. Only HTTP/3 (QUIC) fixes the packet loss issue.
  • 0-RTT Security: While fast, TLS 1.3's 0-RTT is vulnerable to Replay Attacks. Servers must implement specific protections to handle this.
  • Keep-Alive: Distinguish between HTTP Keep-Alive (reusing a connection for multiple requests) and TCP Keep-Alive (checking if the connection is still alive).

📐 Suggested Architecture Primitives

  • Reverse Proxy (Nginx/Envoy): For TLS termination and protocol upgrading.
  • CDN: To offload the heavy TLS handshake closer to the user.
  • Certificate Authority (Let's Encrypt): For automated SSL/TLS certificate management.
  • QUIC/UDP Listeners: Required for HTTP/3 support.
Canvas