I visited a few common sites and they seem to use HTTP/2. I'm not sure the point of arguing it's not fundamental, a cursory glance shows HTTP/1 is bottlenecked by not being able to use the same TCP connection to serve multiple resources (something HTTP/2 fixes)? Is there ire against HTTP/2 adoption, and for what reasons?
I'm not an area expert, but common issues raised over the years:
- HTTP/2 as implemented by browsers requires HTTPS, and some people don't like HTTPS.
- HTTP/2 was "designed by a committee" and has: a lot of features and complexity; most of those features were never implemented by most of the servers/clients; most of those advanced features that were implemented were very naive "checkbox implementations" and/or buggy [0]; some were implemented and then turned out to be more harmful than useful, and got dropped (HTTP/2 push in browsers [1]) etc.
http 1.1 connections can be reused, including with pipelining, and it can open multiple sockets to make requests in parallel. http 2 allows out of order responses on one socket. is it worth the complexity? http 1.1 is over 20 years old and battle tested.
Actually even the diagrams are wrong because they focus on a single connection to explain the problem, carefully omitting the fact that a client can easily open many connections to do the same again. I agree it's mostly marketing and press-releases.
Yes, the attackers will obviously open many connections. In fact, they've always opened as many connections as they have resources for.
But establishing a connection is extremely expensive compared to sending data on an already established channel. With this method they need to open far fewer connections for the same qps.
There's no need to confuse the issue by trying to diagram multiple connections at the same time.
No, it isn't. This whole article seems more like a marketing sales pitch than a disclosure.