Comment by jsheard
6 days ago
> It’s also how browsers detect a website supports HTTP3
It's one way, but a H1/H2 connection can also be promoted to H3 via the alt-svc header. The DNS method is slightly better though since it potentially allows a client to utilize H3 immediately from the first request.
Would that help against a man in the middle that blocks the H3 traffic to snoop the URL when the client falls back to H2?
Every browser requires H2 connections to be encrypted so I don't think a MITM downgrading to it would reveal anything. Downgrading to H1 might do since encryption is optional there, but the proper way to prevent that is to submit your domains to the HSTS preload list so that browsers will always require encryption, regardless of protocol, no exceptions.