The way I look at the major improvements in the two recent HTTP versions is:
HTTP/2 was needed to better utilize the bandwidth by keeping the TCP connection busy without silence period. That means instead of "request - RTT delay - response - RTT delay - request - RTT delay- response ..." we have "request - request - request - response - response - response ..." without pauses between responses. These pauses in HTTP/1.1 cause the congestion windows drop to initial value and slow start after each response. For HTTP/1.1 the workaround was to establish multiple TCP connections to fetch resources in parallel. This + using multiple domains for assets was best practice with HTTP/1.1 and is not needed (or even discouraged) with HTTP/2.
The above change has a drawback: for links with high latency and lower reliability a single packet loss is causing this whole pipline to stall. The cause is how TCP retransmission + congestion control works. This is in contrast to multiple HTTP/1.1 connections where just single connection would stall and take time to recover to full speed. This has bigger impact on performance in wireless connections and content like live video streaming so something that the world move to.
To fix that HTTP/2 moves congestion control to upper layer that understand what is transmitted. Loss of single packet no longer causes the whole pipeline stall, it affects only the resource for which the loss occurred.
This all is needed especially in mobile networks. In older times the a good CDN was used to put content close to the user (or at least terminate the TCP connection close to the user) lowering the round trip time, TLS handshake time. With mobile connections becoming more popular this doesn't work because the big delay is in the "last mile" - in mobile link. You just can't move the CDN's server closer to cut this latency.
Of course there are also other improvements like faster connection establishment (with TLS).
QUIC and http/3 address three problems in my mind:
a) multiplexed tcp of http/2 is tcp-in-tcp with its well known problems. tcp over udp is not so problematic
b) as a udp protocol, congestion control is user space controlled. There's been some work on congestion control lately, but it's difficult to explore that for client to server transfers with tcp
c) path mtu detection in the presence of icmp blackholes is still a mess, in 2021; a udp based protocol puts control of packtization into userland.
I think that's fairly factual, so here's the opinion part.
a) tcp-in-tcp problems could have been solved by just using tcp. http/2 without multiplexing still gives some benefits (explicit server shutdown indications are a big one for me; binary vs text and compression may help with data length, but framing may not)
b) plugable congestion control would make more sense here to me. A certain company behind quic also controls a widely deployed operating system, and could make it happen; although adoption is slow, so it would take longer than switching to quic for their sites.
c) turning on path mtu blackhole detection by default on that same company's mobile operating system would help here as well. A certain other mobile OS without a diverse hardware marketplace quickly discovers and responds to lost big packets by sending smaller packets.
By moving everything into the application, QUIC circumvents the extremely slow pace of innovation in operating systems' TCP stacks. Unlike userspace TCP, which requires elevated privileges such as CAP_NET_RAW on Linux, QUIC does not require any special privileges.
Head of line blocking in http/2, and performance/reliability on dodgy mobile connections. It's definitely getting to the point of diminishing returns, but given how widely http is used it does seem to justify the effort.
TCP HOLB is hardly diminishing returns; it’s the defining way in which HTTP/2 is not uniformly superior to HTTP/1.1—because of it, for a meaningful fraction of users, single-connection HTTP/2 behaves visibly worse than its primary competition, up-to-six-connection HTTP/1.1. (Lack of WebSockets support used to be another point, but that got fixed a year or two back.)
Some of the other benefits of HTTP/3 over HTTP/2, like the bypassing of TCP’s outmoded congestion control, are definitely more like diminishing returns.
HTTP2 always seemed like a great idea for the backend and a "meh" idea for the front end. On backend systems where networks and lines are mostly reliable and fast, HOLB is generally not a problem.
It's only when you start talking about connections outside a backend network that HTTP2's weaknesses start to show (specifically mobile networks).
I wouldn’t call it “meh”. For almost all sites, it’s at least a slight win for the significant majority of users; for most sites, it’s a moderately significant improvement for most users; for some sites, it’s a huge improvement for most users. Certainly high-latency, high-loss networks undermine its benefits, but it’s still generally a definite improvement over HTTP/1.1.
Besides what is already mentioned in sibling comments:
QUIC requires one less RTT for connection establishment than TCP+TLS, which reduces the time to first byte on new connections.
Besides this QUIC allows the client to migrate between different IP addresses and networks. This means that e.g. a download on a phone doesn't get interrupted if the user moves from cellular to WiFi.
Lots of resources are out there but essentially it expands http/2's multiplexed requests by building on top of UDP instead of TCP so it can ensure those requests don't block each other.
If you've got enough cynicism to decide the only beneficiaries of QUIC are just "adtech companies" then I suggest saving a little of that cycnicism to put scare quotes around that word "security" in the second half of your sentence.
If you have effective security neither TLS 1.3 nor QUIC change anything in that regard. But they probably do change things for you. This means you did not have effective security.
Those making appliances or software to deliver "security" would very much like you to blame the designers of QUIC or TLS 1.3 for the fact that their products are ineffective. It is as if the Carbolic Smoke Ball Company had tried to blame doctors for diagnosing Carlill with Influenza rather than accepting that, in fact, Carbolic Smoke Balls don't work and so they owe her £100 per their advertisement.
HTTP/2 was needed to better utilize the bandwidth by keeping the TCP connection busy without silence period. That means instead of "request - RTT delay - response - RTT delay - request - RTT delay- response ..." we have "request - request - request - response - response - response ..." without pauses between responses. These pauses in HTTP/1.1 cause the congestion windows drop to initial value and slow start after each response. For HTTP/1.1 the workaround was to establish multiple TCP connections to fetch resources in parallel. This + using multiple domains for assets was best practice with HTTP/1.1 and is not needed (or even discouraged) with HTTP/2.
The above change has a drawback: for links with high latency and lower reliability a single packet loss is causing this whole pipline to stall. The cause is how TCP retransmission + congestion control works. This is in contrast to multiple HTTP/1.1 connections where just single connection would stall and take time to recover to full speed. This has bigger impact on performance in wireless connections and content like live video streaming so something that the world move to.
To fix that HTTP/2 moves congestion control to upper layer that understand what is transmitted. Loss of single packet no longer causes the whole pipeline stall, it affects only the resource for which the loss occurred.
This all is needed especially in mobile networks. In older times the a good CDN was used to put content close to the user (or at least terminate the TCP connection close to the user) lowering the round trip time, TLS handshake time. With mobile connections becoming more popular this doesn't work because the big delay is in the "last mile" - in mobile link. You just can't move the CDN's server closer to cut this latency.
Of course there are also other improvements like faster connection establishment (with TLS).