Google Chrome Drops support for NPN Protocol, used for HTTP/2
Google’s popular Chrome browser will no longer support a technical protocol used for initiating HTTP/2 connections.
By removing this protocol, named “NPN” (Next Protocol Negotiation), some servers will no longer be able to support HTTP/2, which is a large upgrade to the technology that browsers use to communicate with websites.
This change took place on May 25th, 2016, with the release of Chrome 51 to the Stable Channel.
The Importance of Negotiation
When a client and server first connect they “negotiate” in order to exchange necessary information about each other and share their technical capabilities. When attempting to make an HTTP/2 connection, there were two options available for negotiation: NPN and APLN (Application-Layer Protocol Negotiation).
APLN is the successor to NPN. The specific differences between the two protocols are not important unless you are a network engineer (if you are interested in learning more about how they work and what they do, Key CDN has a great article). The important thing to know is that APLN, being the newer protocol, is not as widely supported by web server software as NPN is.
Therefore, by removing support for NPN, Google Chrome is restricting HTTP/2 negotiation to servers that support ALPN. We love HTTP/2 because it provides huge performance benefits that can more than double the speed of your site (when compared to HTTP/1.1) and requires SSL/TLS to be used. So losing HTTP/2 capabilities is not good!
Notably, many Linux distributions, including recent/current versions of CentOS, Debian, and Ubuntu, do not have ALPN support. This is because they are using an older version of OpenSSL, the library that provides the capability.
In most cases, a manual upgrade of OpenSSL will allow you to gain ALPN support and start using HTTP/2. However, some server admins may not have the ability, time, or access, to do so. Until they do, web servers that don’t support ALPN are stuck with HTTP/1.1.
A Controversial Change
Some have said this decision is extremely premature and will slow the transition from HTTP/1.1 to HTTP/2, while providing little benefit.
In defense of the decision, Ilya Grigorik, a web performance engineer at Google, said that “the number of NPN negotiations we see today is nearly negligible.” Specifically, Google’s metrics show that less than 1% of handshakes use NPN to negotiate.
In addition to the removal of NPN, Google Chrome 51 will be removing SPDY, Google’s experimental protocol. While HTTP/2 was still being finalized, Google created SPDY as an intermediate upgrade over HTTP/1.1. Now that HTTP/2 is finalized and has been implemented in many browsers and servers, Google thinks it is time to say goodbye to SPDY.
The deprecation of NPN, combined with the removal of SPDY will certainly lead to a bit of a setback in the adoption of modern web protocols. However, given the size and scale of HTTP/2 migration, this will probably be nothing more than a small blip in a long transition.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown