Our Battlefield

HTTP is our primary battlefield.

The HTTP/1.1 era lasted a long time. One TCP connection, one request. Want parallelism? Open more connections. Browsers capped it at six per domain. So we sharded CDN domains. Sprited images together. Petty optimizations everywhere.

Google shipped SPDY and the real fix finally appeared. Multiplex requests over a single connection. Compress headers. Push from the server. SPDY became the foundation of HTTP/2, then fulfilled its role. No browser supports it now.

HTTP/3 went further. It abandoned TCP for QUIC. Reliable transport reimplemented on top of UDP. No more head-of-line blocking. Mobile clients can change IP addresses without dropping connections. The theory is elegant.

Reality is messier. I was testing HTTP/2 once and it refused to activate. Spent hours bisecting the problem. The culprit was firewall software on my own machine. It was man-in-the-middling TLS traffic and killing the ALPN negotiation for HTTP/2. Not a protocol version issue. A middlebox issue.

Speaking of middleboxes, there was the era of SSL accelerators. We were scrimping on crypto costs. TLS was expensive, so we offloaded it to dedicated hardware. Terminate SSL at the load balancer, send plain HTTP to the backends. Cleartext between the LB and the app servers. Internal network, so no problem — or so the thinking went. LB-terminated SSL is still common, but back then the computational cost of encryption was a genuine concern.

Now encrypting between LBs is becoming the norm. Zero trust says trust nothing, not even internal traffic. Instead of terminating SSL and stripping back to cleartext, you run mTLS end to end.

HTTP specifications keep evolving. The things sitting in the middle keep dragging them back. The enemy of the protocol is not the protocol. It is the middleman.