|
|
|
|
|
|
by siebenmann
1844 days ago
|
|
|
My feeling (and why I wrote the article) is that it's easy to overlook that you need to do something active to enable your users to use HTTP/3. Previous upgrades to HTTPS of various forms generally required no firewall changes, unless you had a broken firewall that insisted on seeing specific things in TLS handshakes and dropped the connection otherwise. For instance, you can add HTTP/2 to your own servers or talk to HTTP/2 servers outside with no firewall change. But any shift to (or toward) HTTP/3 now requires firewall changes unless you're already passing UDP 443. You can't just deploy it on your own servers or assume that your users will be able to transparently take advantage of it; now you may need to do something active to enable it. It's easy to overlook that, especially since we're not likely to see active failures when HTTP/3 doesn't work, just a quietly degraded experience. (I'm the author of the linked-to entry, and I should have done a better job of explaining this in the original entry.) |
|
|
Another way of looking at it would be that you have been actively blocking HTTP/3 (and probably many other useful but uncommon protocols) for your users and all that needs to happen to make it work is for you to stop doing that. Blocking all unknown things by default is just another form of protocol ossification.
That said when you're responsible for network security I can imagine how a block-by-default policy is tempting and hopefully people subjecting their users to such a policy will read your article and add an exception.