Comment by johncolanduoni

6 days ago

It’s also how browsers detect a website supports HTTP3. Browsers will request it just to check if they should connect to an https:// URL via HTTP3 (though they generally don’t block on it - they fallback to HTTP1/2 if it takes too long).

3 comments

johncolanduoni

Reply
jsheard  6 days ago

> It’s also how browsers detect a website supports HTTP3

It's one way, but a H1/H2 connection can also be promoted to H3 via the alt-svc header. The DNS method is slightly better though since it potentially allows a client to utilize H3 immediately from the first request.

  • grumbelbart  6 days ago

    Would that help against a man in the middle that blocks the H3 traffic to snoop the URL when the client falls back to H2?

    • jsheard  6 days ago

      Every browser requires H2 connections to be encrypted so I don't think a MITM downgrading to it would reveal anything. Downgrading to H1 might do since encryption is optional there, but the proper way to prevent that is to submit your domains to the HSTS preload list so that browsers will always require encryption, regardless of protocol, no exceptions.