[rickmb]

After the whole IPv6 story, I'm surprised the author ignores the political dimension of designing a new protocol. As Mitch Kapor said "Architecture is Politics". It's not just about what solution is best from a technological perspective, it's about what we want our future to look like.

The internet has become way more important than back when these protocols first became standard, and every time a protocol or standard is up for debate, political and commercial forces try to influence it in their favor. Some of the concepts they tried to shove into IPv6 were downright evil, and would have killed the internet as we know it. Personally, I'm relieved all that is left is a small, un-sexy improvement which albeit slowly, will eventually spread and solve the only really critical problem we have with IPv4.

I really dread subjecting HTTP to that process. Although I fully agree with the author's critique of cookies for instance, the idea of replacing them with something "better" frankly scares the crap out of me. Especially when the word "identity" is being used. You just know what kind of suggestions some powerful parties will come up with if you open this up for debate, and fighting that will take up all of the energy that should be put towards improving what we already have.

As techies we should learn to accept design flaws and slow adoption and look at the bigger picture of the social and political impact of technology: HTTP may be flawed, but things could be way, way worse.

[maggit]

You don't go to the author of Varnish for political advice, you go to the author of Varnish for technical advice. I'd be disappointed if he took advantage of his good name to push political advice when he got his reputation for being good at technical matters.

After all, is any of his technical advice invalid due to political concerns that are not wild speculation on your part?

----

Not to say that politics doesn't enter into it, just that it should be brought to the table and discussed by other actors. And those actors should probably be all ears about the technical issues.

[batista]

>Not to say that politics doesn't enter into it, just that it should be brought to the table and discussed by other actors.

How so? You seem to be distinguishing between politics actors (politicians?) and technical actors.

In a democracy it is not just important but essential that ALL have their say on policy, not just "political experts".

[paulsutter]

Moreover, the author seems to completely miss the point that SPDY was designed to overcome wide area networking performance issues with the way http uses tcp. Which it does quite well for substantial latency improvements.

He throws out a lot of criticism about SPDY being haphazardly designed (with no explanation), then we find out that really he has an axe to grind over cookies and SSL.

I call bullshit on the whole post. I found nothing useful in it. I almost fell for the http router bit, but again he offers no more than vague criticisms. If SPDY hasn't been a problem at Google and Facebook for load balancers, SPDY isn't badly designed for load balancer implementation. It leads me to believe that his real issue is that Varnish must have been coded in such a way to make it hard to support SPDY. Or perhaps that the authors real beef with SPDY is that he didn't design it.

[paulsutter]

Any downvoters care to give a more specific response? The OP completely missed the actual purpose of SPDY/HTTP 2.0, without contributing constructive feedback. Facebook's comments on HTTP 2.0 proposals were much more useful

http://lists.w3.org/Archives/Public/ietf-http-wg/2012JulSep/...

[rmc]

Some of the concepts they tried to shove into IPv6 were downright evil, and would have killed the internet as we know it

Oh? Got an example? I've never heard of this (but don't really follow IPv6 stuff).

[obtu]

The evil bit? I'm having a hard time coming up with something serious that would be enough to kill the internet as we know it.

[flyinRyan]

I'm guessing the OP was talking about something that would make the internet less anonymous.

[neya]

This is a well thought, excellent comment that perfectly makes sense. Thank you. When huge corporations track you as how they are tracking you currently, most of the times, they don't get to know who you really are (except Facebook, because they know 'you'). That is, your identity. That's the only level of control you have over your anonymity. And these guys are proposing a new protocol just to remove that. Ridiculous.

[maggit]

I suspect you are reading too much into the word "identity". It is just a matter of identifying the endpoint, so the HTTP router can delegate requests from one user to the same backend instance in any given session. This, in turn, will give a user a consistent image of the state at the server independently of cache propagation in the backend. For example. You don't need the user's real life identity to do this, and you don't need the same identity across different sites or across different sessions.

This is currently sometimes done by cookies, which makes life difficult for HTTP routers. He is proposing a mechanism to keep the identifying-part while getting rid of problems in the HTTP router layer. The way I read this, it seemed to be without introducing additional privacy concerns and in fact removing some. (Cookies can carry more than identity)

There is a detailed technical discussion to be had about implementing all of this, and in this discussion any privacy concerns would become visible and open for discussion. But I think it is a leap to say that the comments in TFA would necessarily make for a world bereft of privacy ;)

[romaniv]

Although I fully agree with the author's critique of cookies for instance, the idea of replacing them with something "better" frankly scares the crap out of me. Especially when the word "identity" is being used.

Ever heard of evercookie? Does that not scare you? Would creating a clean, well-understood solutions that users can actually control not be better than what we have now?

There is just so much wrong with cookies, it's really surprising that no HTTP upgrades propose anything better. For one, cookies confuse session information and client-side storage, and thus work poorly in both roles.

[woobles]

An evercookie is actually pretty straightforward to remove, if you know what you're doing with firebug/firecookie. The only tricky thing it does is persist a cookie in the sessionStorage of your window object, which isn't cleared when you clear your browser cache.

[tripzilch]

> Although I fully agree with the author's critique of cookies for instance, the idea of replacing them with something "better" frankly scares the crap out of me.

> Especially when the word "identity" is being used. You just know what kind of suggestions some powerful parties will come up with if you open this up for debate, and fighting that will take up all of the energy that should be put towards improving what we already have.

Oh wow, I hadn't thought of that. Reading that critique I was just thinking "oooh doing away with cookies would be a great thing", slightly wondering what one could replace it with ... but you're right, they'd probably replace it with something extra plus plus scary.

[g-garron]

There should be a way to "identify" yourself agains sites you are visiting. Which do not left tracks in you computer, so when you visit another site with a Facebook/Google "goodie" they cannot identify you again.

The problem is that cookies are in you computer, they should be ephemeral (you can do it, but is not standard).

But then, yes, Facebook and Google and even Governments will try to know everything about you.

[slig]

Cookies but blocking 3rd-party cookies solve that, doesn't?