{"id":30371,"date":"2026-07-15T22:07:14","date_gmt":"2026-07-15T20:07:14","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=30371"},"modified":"2026-07-15T22:07:14","modified_gmt":"2026-07-15T20:07:14","slug":"workshop-basel-day-two","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2026\/07\/15\/workshop-basel-day-two\/","title":{"rendered":"Workshop Basel day two"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">If you missed it. I already described <a href=\"https:\/\/daniel.haxx.se\/blog\/2026\/07\/14\/workshop-basel-day-one\/\" data-type=\"post\" data-id=\"30351\">day one<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Caffeinated and ready, we all gathered in the same spacious room as yesterday, but seated in new places as \u201csuggested\u201d by our captain. Some of us even remembered to move over the name tags we wrote yesterday to our new seats.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">No time was wasted on introductions today. We dove straight in at the deep end.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>How AI is changing how HTTP is implemented<\/strong>.<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Is the future of software that we check-in the AI prompts in the git repository and trust it to generate the correct code? Are specifications the new level o<br><br>f abstraction for source code? These questions triggered long discussions with a huge mix of opinions and experiences getting shared about how AI is used, should be used and could be used now and in the future.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Observations and Measurements of HTTP\/2 During Large-Scale Web Crawls<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The Common Crawl spidering upgraded to using HTTP\/2 for their scan and as an end result, I believe 61% of the responses used HTTP\/2 and the entire round ended a few percent faster than before, which when you traverse a few billion URLs really makes a difference. They apparently use a locally patched version of <a href=\"https:\/\/nutch.apache.org\/\">Apache Nutch<\/a> for this.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>HTTP\/1.1 behavior divergence<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The <a href=\"https:\/\/www.http-probe.com\/entropy\">HTTP probe<\/a> project runs a lot of tests on HTTP\/1 servers and compares how they behave in a lot of different aspects and then generates these awesome tables. Looks like something for every server implementer team to have a look at and decide what of these red boxes that should rather be converted into green alternatives.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Request smuggling test suite&nbsp;<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><em>HTTP Zoll<\/em> is a new<strong> <\/strong>test suite for intermediaries that tests intermediaries (what we often call proxies) for a large amount of request and response smuggling issues. Some real world problems found were discussed and as this project aims at going Open Source words were expressed on what kind of precautions and checks that maybe should be done first. I hope we get to hear more about this project soon.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Server performance &amp; measurement<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The <a href=\"https:\/\/www.http-arena.com\">HTTP Arena<\/a> is another project that does performance and measurements. They test HTTP server frameworks and present the results in various ways on their site.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Increase and evolve HTTP\/3 &amp; QUIC<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">In this <a href=\"https:\/\/mxinden-bot.github.io\/slides\/04-quic-discussion\/\">presentation<\/a>, we were presented with different HTTP\/3 deployment numbers from different sources and the associated reasoning around why they differ but then more importantly. what can and should be done to increase HTTP\/3 usage.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Anti-virus interceptions, enterprise blocks and server-side performance not yet on par with TCP were mentioned as reasons for holding back the numbers.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Reasons for using HTTP\/3 include use cases that encourage QUIC adoption: WebTransport, Media over QUIC and MASQUE (HTTP\/3 proxies and HTTP\/3 proxies over older HTTP proxies).&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Using HTTPS-RR for upgrade was <a href=\"https:\/\/savearoundtrip.com\/\">promoted<\/a>, as every alt-svc response that is returned with an ALPN using h3 should perhaps also offer h3 over DNS. Why doesn\u2019t your server announce its h3 support over HTTPS-RR?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">QUIC v2 is deployed on an amazing 0.003% of all QUIC v1 domains and there was a discussion why this is so and the common sentiment in the room seemed to be that very few saw a reason for deploying v2 and several expressed a concern that doing so might in fact introduce issues. Someone (you can probably guess who) in the room increased that number a lot by quietly mentioning that haxproxy.org certainly supports it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>QMUX<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.ietf.org\/archive\/id\/draft-ietf-quic-qmux-02.html\">QUIC multiplexing over bi-directional streams<\/a> is a proposal on how to do QUIC-style multiplexing over TLS (or anything else really). It has been adopted by the IETF QUIC working group and there was a somewhat extended discussion about what the HTTPbis group should or should not do with it. The biggest interest might be for data center use, but is that then something IETF should bother about? This is not the first time I blog about this, and even if there did not seem to be a strong demand or need for this, it also did not seem to be completely dead. I bet we will hear more about this later.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Multiplexed proxying: challenges in H2 and H3<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Doing a TLS terminating MITM proxy has its challenges and we were given some insights and experiences on the challenges of doing HTTP\/2 and HTTP\/3 to the server.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The browsers refuse to do HTTP\/3 when they detect custom CA certs installed, which apparently is mostly because of lots of past bad experiences with anti-virus software that in particular seems to break QUIC and for users it is not obvious where the blame should go. This then makes browsers not do HTTP\/3 over any MITM proxy.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Some time was spent on how allowing different clients to the proxy uses a shared h2 connection to the target server is complicated and not used, even though in theory it should be possible. An argument was made that it could even lead to worse performance than when using HTTP\/1 but I could not quite follow that reasoning. I\u2019m sure I missed some subtle detail in that explanation.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Making the Web QUICer with Rapid Start<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">When the afternoon is running late and we have been promised beer and snacks after the final talk, what is better than a hard core technical presentation with lots of graphs and numbers showing how QUIC performance can be improved by tweaking the congestion control algorithm and send more data in the startup phase of a new QUIC connections? This new approach is called <a href=\"https:\/\/www.ietf.org\/archive\/id\/draft-kazuho-ccwg-rapid-start-02.html\">Rapid Start<\/a> and it looks like a promising and yet simple improvement. According to experiments done on real world traffic, the time to last byte was reduced by 14.7% on average. Not bad at all.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Drinks and food<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Our meeting sponsor Adobe graciously sponsored drinks and food so we got to linger around for a few extra hours and talk even more HTTP and networking until the personal firmly insistent they needed us to leave the room and we instead continued solving world problems elsewhere. Topics around the table included the famous HTTP\/2 spec coin flip, the QUIC spin bit, the SCONE situation for QUIC, the timeline behind the QUERY method and many more great stories.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Thanks for the beer!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Now we can\u2019t wait for day three.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you missed it. I already described day one. Caffeinated and ready, we all gathered in the same spacious room as yesterday, but seated in new places as \u201csuggested\u201d by our captain. Some of us even remembered to move over the name tags we wrote yesterday to our new seats. No time was wasted on &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2026\/07\/15\/workshop-basel-day-two\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Workshop Basel day two<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":27418,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,45],"tags":[230,413,436,414],"class_list":["post-30371","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-net","category-web","tag-http","tag-http-workshop","tag-http3","tag-quic"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/30371","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=30371"}],"version-history":[{"count":6,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/30371\/revisions"}],"predecessor-version":[{"id":30385,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/30371\/revisions\/30385"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/27418"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=30371"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=30371"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=30371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}