HTTP/3 and QUIC
HTTP/3 is HTTP mapped onto QUIC — a new transport that runs over UDP, has TLS 1.3 baked in, and eliminates several long-standing problems with TCP+TLS.
What QUIC fixes
- Transport-level head-of-line blocking. In HTTP/2 over TCP, a single lost packet stalls every stream on the connection. QUIC's streams are independent at the transport layer — losses affect only the affected stream.
- Slow handshakes. QUIC combines transport and TLS handshakes into a single 1-RTT exchange. Resumed connections use 0-RTT.
- Connection migration. QUIC identifies connections with Connection IDs, not 4-tuples — so when a phone switches from Wi-Fi to cellular, the connection survives without re-establishing.
- Encryption baked in. Almost all QUIC packet contents are encrypted (including most headers), reducing what middleboxes can observe and ossify.
Why UDP?
TCP can't be evolved on the public Internet — middleboxes inspect and modify TCP traffic in ways that break new features. QUIC sits on top of UDP, which middleboxes mostly forward unchanged, giving the IETF freedom to evolve the protocol.
HTTP/3 specifics
- Uses QPACK (similar to HPACK but adapted for QUIC's out-of-order streams).
- Server push exists in the spec; browsers have not adopted it.
- Alt-Svc header advertises HTTP/3 availability to HTTP/2 clients.
Deployment notes
- QUIC requires UDP/443 to be open both ways. Some restrictive corporate firewalls block UDP.
- Major CDNs and browsers support HTTP/3; falling back to HTTP/2 over TCP is transparent.
- CPU cost per QUIC connection is higher than TCP+TLS today; hardware offload is catching up.