Firefox 35 was released this week and became the first browser to enable support for the HTTP/2 protocol by default.
The HTTP/2 specification has not been finalised so Firefox actually enabled the Draft 14 version of HTTP/2 but little is expected to change in the final draft. Google is now supporting HTTP/2 draft 14 on its web servers alongside the SPDY protocol giving us a chance to compare the performance of raw HTTPS, SPDY and HTTP/2 on the same web page.
We also updated HttpWatch this week so that it supports HTTP/2 within Firefox. It has new columns to display information about the protocols being used by each request:
The performance test used HttpWatch with Firefox to run a series of simple page load tests against the Google UK home page using the three protocols:
We switched between the protocols by enabling and disabling the following entries in Firefox’s about:config page:
Each test was performed in a fresh instance of Firefox with an empty browser cache. Although this testing was simplistic and only used a simple page it does highlight some important differences between the protocols.
Most sites already use compression when downloading textual content as it provides a significant performance benefit. Unfortunately, HTTP/1.1 doesn’t support the compression of HTTP headers that are attached to every HTTP request and response. SPDY and subsequently HTTP/2 were designed to address this shortcoming using different types of compression.
It’s possible to see the difference in the generated header sizes by looking at a request that has no content. On the Google UK home page there is beacon request that returns no content (a 204 response). These screen shots from HttpWatch show the size of the request headers in the ‘Sent’ column and the size of the response headers in the ‘Received’ column:
HTTP/2 has significantly smaller header sizes due to its use of the HPACK algorithm.
The response message from the server is made up of the response headers and the encoded response content. Given the fact that HTTP/2 creates the smallest headers shouldn’t it always have the smallest response message?
In HttpWatch this seems to be the case for image resources:
However, for textual resources SPDY consistently has smaller response messages even though its headers would be larger than HTTP/2:
The reason for this is the optional padding bytes that can be added to the HTTP/2 DATA frame. HttpWatch doesn’t currently show the padding but in our debug logs we can see that the Google servers add padding to the data frames of textual resources. The reason given in the HTTP/2 spec for using padding is:
Padding can be used to obscure the exact size of frame content, and is provided to mitigate specific attacks within HTTP. For example, attacks where compressed content includes both attacker-controlled plaintext and secret data (see for example, [BREACH]).
Padding isn’t used for image resources because they already have a compressed format that will not contain attacker controlled plain text.
The larger response bodies seen on the Google servers are due to the use of padding in data frames. Although, HTTP/2 produces larger responses than SPDY its encrypted connections could potentially be more secure. This may be an area where tuning can be performed in a trade off between security and performance.
Browsers achieved a performance boost in HTTP/1.1 by increasing the maximum number of connections per host name from two to six or more. This allowed greater concurrency during the download of a page at the cost of extra TCP connections and SSL handshakes . Increasing concurrency allows the bandwidth of the network to be used more effectively because it reduces the blocking of requests.
SPDY and HTTP/2 support concurrency on a single TCP and SSL connection by using multiplexing to allow more than one request at a time to send and receive data on a single connection.
By adding the ‘Connect’ and ‘SSL Handshake’ timings as a columns in HttpWatch you can see that SPDY:
Only create connections for different host names. Whereas, raw HTTPS may create more than one connection per host name to improve concurrency:
EQUAL WINNERS: SPDY & HTTP/2
The multiplexing support added in SPDY and HTTP/2 reduces the number of connections that have to be setup to download a page. As a side benefit web servers will not have to maintain as many active TCP connections when HTTP/2 usage becomes more widespread.
The ‘Page Load’ event in HttpWatch shows when the page was fully downloaded and available for use. In most cases this a reasonable measure of the speed of the page as seen by a visitor to a web site.
The Page Load timing was worse for raw HTTPS probably due to the lack of header compression and the additional TCP connections and SSL Handshakes required. For more complex pages the speed advantage of SPDY and HTTP/2 should be even greater.
We also found that HTTP/2 was consistently faster than SPDY even though its response messages were often larger. The advantage was probably due to the smaller GET request messages produced by HPACK compression. Our network connection to the internet, like many others, is asymmetric in nature – the network upload speed is less than the download speed. This means that any saving in uploaded data has much more impact than the equivalent saving in downloaded data.
HTTP/2 is likely to provide significant performance advantages compared to raw HTTPS and even SPDY. However the use of padding in response messages is an area of potential concern where there could be a trade-off between performance and security.
SSL handshake timings are now displayed in Firefox:
and in-depth information about the SSL protocol used by each connection:
We’ve also made some other SSL related improvements that are available in the Firefox/IE plugins and the HttpWatch Studio log file viewer. The first is that SSL information can now be added as columns in the main request grid:
There’s also a new warning that can be used to highlight HTTPS connections that have potential vulnerabilities:
Every six weeks a new version of Firefox is released by Mozilla. Unfortunately, binary extensions like HttpWatch need to be recompiled and ship a new DLL for each new release.
Currently, HttpWatch supports the following versions of Firefox:
2, 3, 3.5, 3.6, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17
There’s 18 different version of Firefox that HttpWatch needs to support and be tested against. Also. every six weeks the HttpWatch installer increases in size, takes longer to install and takes up more space on the target machine.
We really need to start dropping support for older Firefox versions as we’ll get up to Firefox version 30 in about 18 months time!
One of Firefox’s key benefits is the range and power of the add-ons available compared to Chrome and Internet Explorer. However the rapid release cycle, and the emphasis on change rather than backwards compatibility, means that even non-binary extensions often need to be updated.
Depending on the extension, there may even be a period where the add-on does not work with the latest version of Firefox. So on the one hand you want to keep Firefox updated to ensure that you have the latest security fixes, but on the other you don’t want to keep breaking extensions that you use on a regular basis.
It turns out there is a way to keep your extensions working for longer and keep up with Firefox security fixes.
It’s called Firefox ESR (Extended Support Release):
The idea is that at every 7th major version from version 10 onwards is designated an ESR release.
If you run with this version of the browser you will be in the ESR update channel:
You’ll get all the latest security fixes without breaking compatibility with add-ons for approximately 42 weeks or 7 Firefox release cycles.
So users of Firefox 10.0 ESR would recently have moved to Firefox 17.0 ESR. They will stay on Firefox 17.0 and get security updates until Firefox 24 is released.
It’s not very well publicized by Mozilla, but Firefox 17 ESR is available for download from the Mozilla FTP server.
In future we’re planning on only supporting Firefox versions that include the last two Firefox ESR releases. So, in the update for Firefox 18 we would drop support for Firefox versions 2.0 to 9.0. Then when Firefox 24 is released next year we would drop support for versions 10 to 16.
We’ve studied Firefox version usage on our site and it looks like dropping version support in this way is likely to affect less than 1% of Firefox users.
What do you think? Please let us know in the comments below or by email if the change would significantly impact the way that you use HttpWatch