Jonathan Looney of Netflix
I'm sorry, but that name just creased me up!
On Tuesday, Netflix, working in conjunction with Google and CERT/CC, published a security advisory covering a series of vulnerabilities that enable denial of service attacks against servers running HTTP/2 services. HTTP/2, like earlier versions, governs the application layer of the internet stack; it runs atop the transport …
Good idea until...
My Netflix is not working.
You have a virus that is attacking our servers.
No I don't.
Yes you do.
Cancels subscription because everything else works OK.
The virus turns out to be a pawned router, rougue client on WiFi, random user on public / cloud AP, a dodgy app on a mates phone that you allowed to connect, the previous holder of the IP address dynamically assigned by your ISP etc.
Nor is TCP "the transport layer" or IP "the network layer".
The OSI model does not fit TCP/IP well. It doesn't fit anything well, except rump OSI implementations such as ISODE.
More importantly, if a reader doesn't know what HTTP/2 is, the sort of handwaving gloss that's used in the article will be no help whatsoever. It's neither correct nor usefully incorrect.
HTTP/1.1 is a badly stovepiped protocol - but then most communications protocols are, because protocol design is difficult. Also, new protocols have to be relatively uncomplicated to get traction, which inevitably means that if they become popular they'll see new use cases and feature creep which complicate the original design.
HTTP/2, on the other hand, is a ghastly mess from the ground up. It was rushed through the IETF to jump on a Google bandwagon (or, if you prefer, to try to pull the standardization reins on a runaway Google horse). I followed some of the HTTPbis mailing list discussions for a while, but they were too depressing to continue with. All other concerns sacrificed on the alter of pushing more "content". It's almost enough to make me miss SNA.