Lenovo's security debacle reveals blurred boundary between adware and malware

Who's looking after your keys? kris krüg, CC BY-SA

A widely disliked habit of PC vendors is their bundling of all manner of unwanted software into brand new computers – demo software, games, or part-functional trials. Faced with shrinking margins vendors have treated this as an alternative income stream, going so far as to include adware that generates revenue through monitoring users' surfing habits, for example.

While some software such as virus scanners can be useful, Lenovo, the world’s biggest computer seller, has discovered just how badly it can backfire when including insufficiently tested – or just plain malicious – software.

With vendors often doing little in the way of due diligence, third-party software can include those with backdoors, or which could present privacy problems, or contain ways to trick users into paying for subscriptions. More often the focus is on pushing content and advertising, based on tracking user’s web browsing habits, or targeted marketing, where search results from trusted sites such as Google are tampered with before they’re presented to the user.

SSL redirect

Lenovo’s own-goal was to include Superfish: adware that alters search results in order to inject its own, and offers competing products whenever the user mouse-overs keywords in the page.

Encrypted communications require a private and a public key, separate but mathematically linked. The public key, which is published and available, is used by others to encrypt messages and send them to the owner of the public key. The public key’s owner uses their secret, private key to decrypt them.

In order to be sure public keys belong to who they claim to, they are verified by certificates signed by trusted authorities. Superfish, however, in order to intercept encrypted search requests made over HTTPS (typically used by Google), installs a self-signed root certificate on the system. This, despite offering no checking or verification of keys, allows Superfish to takes control of encrypted traffic by masquerading as the site’s own certificate. So, for example, when connecting to the Bank of America, the Superfish certificate would claim to be from the Bank of America.

This is called a man-in-the-middle attack, where one site impersonates another in order to fool other parties into communicating with it. The user thinks they are connecting to a valid site as the browser reports it has checked the site’s identity via its certificate, but in fact traffic is going to another site, using another connection.

Can you see the problem? In an effort to pry into user’s searches in order to show more adverts, Superfish created a security hole through which others can get in too. This was done as the private key for securing the data sent to Superfish has been cracked. Doing so also allows intruders to see search queries or any other traffic, even though it appears to the user that they are communicating securely with Google.

A man-in-the-middle attack, as created by Superfish. owasp, CC BY-SA

Bad software used for bad ends

At the core of this problem is the use of SSL hijacker software developed by a firm called Komodia. As their website states:

The SSL hijacker uses Komodia’s Redirector platform to allow you easy access to the data and the ability to modify, redirect, block, and record the data without triggering the target browser’s certification warning.

So we have a piece of software that can trick the user into connecting to website that is not necessarily what it seems or claims to be, bypassing the browser’s built-in security that would alert them.

As if this wasn’t bad enough, Superfish embedded the private key used to secure the traffic sent over the encrypted link along with its public key in the certificate. This should never happen, as a private key should not be shared. Not only does the certificate contain both keys, but the private key password has been cracked (it’s “komedia”, would you believe) and is the same for each on of the millions of computers on which Superfish is installed. And not just Superfish: the same weak certificates are bundled with many other software too.

Overview of the SSL redirect

This is a spectacular security risk, meaning any intruder can access the data passing between any user with the certificate installed and any encrypted website they’re connected to. It’s like finding the best locks to secure your home, and then putting the keys under a plant pot outside the front door.

This wouldn’t be the first time that security has failed in this way – not by defeating the encryption, but through a flawed set up and weak, easily guessable password. Antivirus software firms and Microsoft are already rolling out patches in order to detect and remove this software and its certificate.

Lenovo have sold over 16m Windows computers in the last quarter of 2014 – and many of these vulnerable. Not only that, but every one of those computers could potentially eavesdrop on the secure communications of every other, as the certificate password is the same for all.

This is likely to be extremely costly for Lenovo, in brand reputation but also in legal actions which have already begun. Although the issue was raised in January on the Lenovo forums, the firm claims to have had no idea of the problem it represented – that is bad enough in itself.

There need not be a digital dark age -- how to save our data for the future

Floppies: storage that's about as reliable as a CD used as a frisbee. orangejack, CC BY-NC-SA

“The internet is forever.” So goes a saying regarding the impossibility of removing material – such as stolen photographs – permanently from the web. Yet paradoxically the vast and growing digital sphere faces enormous losses. Google has been criticised for failing to ensure access to its archive of Usenet newsgroup postings that stretch back to the early 1980s. And now internet pioneer Vint Cerf has warned of a “digital dark age” that would result if decades of data – emails, photographs, website postings – becoming lost or un-readable.

Millions of paper records more than 500 years old exist today. But your entire family photo collection could be lost forever with just a single hard drive failure. Stone tablets, parchment, paper, printed photographs have all lasted through the centuries. But some of our data may not. What do we do about preserving the digital deluge?

Cost v value

Technical solutions already exist, but they’re not well known and relatively expensive. How much are we prepared to pay to ensure that digital stuff today is usable in the future? Because if there’s cost involved, inevitably we have to think about what has value that makes it worth keeping.

How can we calculate that value? As an example, the holdings of the UK Data Archive include machine-readable versions of all of the General Household Surveys (GHS) carried out between 1971 and 2011. This was a continuous national survey of people living in private households conducted on an annual basis. The cost of the GHS in 2001 was reported as £1.43m, making the value of the survey and its data at least that. As it was the thirtieth year of this survey the value could be said to be higher as it was part of a series, so we could say they survey was worth more than it cost.

The Office for National Statistics transferred the 2001 data to the UK Data Archive in 2002, where we prepared them for preservation and access and published them. Up until today this survey data has been downloaded by 426 people working in government departments, 759 staff working in education, 1,331 students and 109 others for various uses. So benefits accrue from making the data available even after its creators have exhausted their primary value – re-use is a significant benefit from preserving data and adds value.

But there are also cultural and intellectual and not just economic arguments for preserving data. Survey data like these and their supplementary materials provide a window to the concerns of survey designers and, by extension, society at the time. True, cultural arguments for preservation can be expressed more forcefully for artefacts such as images, films, or written works than survey data. But these data stand a good chance of being included within Britain’s cultural and intellectual heritage precisely because they have been carefully managed and preserved.

Making digital as long-lasting as paper

How can we improve the chances of something being preserved? Professor Michael Clanchy, writing in his seminal From Memory to Written Record, discusses how the concept of records developed. Owing to the media available to scribes in the Middle Ages they made conscious choices between creating an ephemeral document (on a wax tablet) or a permanent record (on parchment). Today digital media proliferates mainly because it provides the easiest means to transmit a work, and so that distinction has to a point disappeared.

Documents and records are now both digital, but the question remains as to what should be kept for posterity and why. These are hard questions which lead to hard choices, because by their nature the cost of preserving digital materials can be much more expensive than their analogue counterparts. You can’t just put them in a box and walk away – the effort and tools required to read a 100-year-old letter is considerably less than the effort required to read a 30-year-old LocoScript popular on Amstrad computers in the 1980s-90s.

Most born-digital material is, with the right resources, recoverable. However, the chances of born-digital material being usable in, say, 100 years is considerably improved by actively taking steps to ensure that it will – just as medieval scribes made similar decisions in centuries past. Effective digital preservation relies, to some extent, on the activities of the creator as well as the archivist. Today those decisions include providing context, using standard and open file formats, organising material sensibly, and making provision for rights issues to avoid the problem of orphan works.

The future starts now

Organisations can do a better job than individuals, but require a business model and a mandate to do so. Asking someone to pay for something a long time before its value can be realised (if at all) is not a attractive business proposition. What we can do, at a minimum, is try and convince people that it is possible.

Of course neither creator nor archivist can fully understand how future users may approach digital information preserved over time. Social and cultural historians have, by necessity, used records for purposes for which they were not created and often in inventive and interesting ways. Historians are often helped by context, and the digital material we’re creating today needs the same contextual information to ensure its usefulness.

We're all mammals – so why do we look so different?

Family values. Mammals by Shutterstock

It is easy to distinguish a mouse from a cow. But for members of the same class of mammal, where do such differences begin? In 2011, scientists discovered there were differences in cow and mice blastocysts, the tiny hollow spheres of cells which precede the development of the embryo.

So while adult mammals are easily distinguishable, it was remarkable that the researchers were able to still tell the difference at this extremely early stage of development. This early difference was largely due to the crucial process of gene regulation.

Mammalian species are all quite different in look and size, and have colonised all ecological niches – they can be terrestrial (like humans and mice), aquatic (dolphins and whales) and even aerial (bats). Like humans, all mammals have large, complex genomes – the DNA sequences in our cells. These contain the instructions which are used to construct our bodies and brains. However, the best-understood functional units in our DNA – our genes – take up only 2% of our genome sequence, and are extremely similar across non-marsupial mammals. So what makes us so different?

Classical studies – for example, those by geneticists Mary-Claire King and Allan Wilson, have shown that the major differences between mammalian species lie not in the genes themselves, but where genes are switched on and off – that is, in gene regulation.

She’s the regulatory element. Off on switch by Shutterstock

Understanding gene regulation in mammals is very challenging. The DNA sequences that regulate our genes – so-called regulatory elements – are painstaking to identify. These sequences are spread across our vast genome, and are largely different for each of our tissues. To decipher gene regulation in mammals, we need to locate them and understand how they change as the animal evolves.

Gene regulation evolves

As evolution progresses and mammalian species diverge, various genes are switched on an off. So which aspects of our genome stay the same and where are the changes taking place?

New experimental and computational tools for DNA sequencing are now making it possible to identify regulatory elements and their activity with unprecedented accuracy and speed. These tools allow us to study gene regulation across mammalian genomes, as has been done for humans and mice, but much less so for recently sequenced genomes, such as those of species with unique adaptations - dolphins or subterranean cancer-resistant naked mole rats among them.

Not your average looker. Buffenstein/Barshop Institute/UTHSCSA, CC BY

In a recent study published in Cell, we found the extent of gene regulation differences – the “on/off” switching – across mammals was astonishing. It is rare that the DNA sequences that regulate our genes show similar activities across mammals. More commonly, gene regulatory activities change rapidly as mammals evolve (though still over millions of years – for example, humans and chimps are separated by 6m years of evolution), and such differences probably lead to different genes switching on and off.

In fact, a good fraction of the regulatory elements that we identified in each mammalian genome were active in a single mammal (out of the 20 analysed), which suggests that these regulatory elements may be associated with recent evolutionary adaptations unique to a few species.

Repurposing

So how do such vast numbers of newly active regulatory sequences arise? Our findings suggest that, rather than acquiring wholly new DNA sequences that regulate genes, mammals derive most regulatory innovations from existing DNA – sequences shared to some extent by all mammals today and likely present in the ancestral species from which they evolved – but repurposed in a particular species.

This process resembles evolutionary tinkering, where continuous tweaking of existing DNA sequences can result in new patterns of gene regulation. The prevalence of this mechanism, as opposed to the generation of regulatory elements from newly acquired DNA, could in part explain the rapid evolution we see in mammals, and may have been pivotal in allowing mammals to efficiently colonise Earth’s ecosystems. Essentially, continuous modifications in vast mammalian genomes within relatively small populations likely contributed to new evolutionary paths that allowed mammal species to diverge.

Many questions remain. Our results indicate how rapidly gene regulation can change in mammalian genomes, but further work will be required to fully understand the relative importance of the retained and new DNA sequences that regulate our genes, and how they cooperate to create species diversity while maintaining the organ functions found across vertebrates. And our findings could have profound implications for our understanding of human disease – in particular, the mechanisms by which rapidly evolving pathologies, such as cancer, hijack normal gene regulation and alter it to their advantage.

Vikings were pioneers of craft and international trade, not just pillaging

"Yes it's a new thing we're trying out, it's called 'international trade'." Anna Gowthorpe/PA

The connections between technology, urban trading, and international economics which have come to define modern living are nothing new. Back in the first millennium AD, the Vikings were expert at exploring these very issues.

While the Vikings are gone their legacy is remembered, such as at the annual Jorvik Viking Festival in York. The Norsemen’s military prowess and exploration are more often the focus of study, but of course the vikings were more than just bloodthirsty pirates: they were also settlers, landholders, farmers, politicians, and merchants.

Between the 8th and 11th century (the Viking Age), Europe saw significant technological advances, not all of them Scandinavian – the Anglo-Saxons, Frisians and Franks were equal players. To understand these changes, we have to see them in the context of increasing contact between Scandinavia, the British Isles, and continental Europe – in which the Vikings were key players. Technological innovations such as the potter’s wheel and the vertical loom transformed not only the types of products being manufactured in Viking settlements, but also the scale on which they were produced.

Technological developments emerged as people came together in growing coastal trading centres and market towns. The world was rapidly becoming more joined-up during this period than at any time since the heyday of the Roman Empire. Trade fostered international links across the North Sea, Baltic and beyond, and similar developments were happening as far afield as the Middle East, Africa, and Asia. This was a period in which people began to live and work in entirely new ways, and technological change was both a cause and an effect of this.

While many Viking artefacts of the period are familiar, the complex methods that lay behind their manufacture are less well-known. Each involved a specialised set of skills, tools and raw materials, which meant craftspeople were reliant not only on a market for sale, but also on a well-organised supply chain. This is why the development of specialist crafts, of growing urbanisation, and of long-distance trade are intimately connected.

The Vikings were expert shipbuilders and navigators, and while evidence for their shipwrights' skills survives to the present day, there is little detail of how they navigated their huge journeys. What is clear is that between the 8th and 11th century, viking shipping underwent significant development, beginning with the appearance of the sail, and leading to the development not only of specialist warships, but also of prototypes for the large cargo vessels that would come to dominate the waters of later medieval Europe. But Viking technology had more to offer than ships and swords.

Viking brooches were ornate, beautiful, and mass-produced. British Museum

Brooches

Among the most recognisable Viking artefacts are their brooches. Long studied by archaeologists, they signified gender, status, and ethnicity. Work is ongoing to reveal the advanced technology used in their manufacture.

Evidence for brooch manufacture in Viking towns includes the remains of moulds and crucibles. The crucibles are often found complete with residues of the metals melted down in them. Brooches were cast by pouring this metal into moulds, which were produced by pressing existing pieces of jewellery or lead models into clay, followed by minor artistic modification. This resulted in a sort of mass-production. As this craft was dependent on high-quality brass ingots from continental Europe, specialist jewellery production centres arose at ports associated with long-distance trade routes.

Glass bead jewellery

Strings of ornate glass beads are another common sight in Viking museum displays. Beads were made in Scandinavian towns by carefully manipulating coloured glass as it melted. Waste deposits prove that the raw glass used in this process came in the form of coloured tesserae : small, square blocks from the Mediterranean, where they were used to produce mosaics. Whether they were bought and sold in south-eastern Europe, before travelling west, or whether they were ripped from Byzantine churches on raids in the region is unclear.

Combmaking

Animal bones were among the most important materials in pre-modern technology: a durable, flexible, readily available raw material used for everything from knife handles to ice skates. Many such objects could be made quickly, with little training – but not the Vikings' hair combs.

These large, ornate, over-engineered objects took days to manufacture and required a trained hand. Specialised tools such as saws, rasps, and polishers were needed, and deer antler particularly was the material of choice.

Viking combs ranged from the practical to the ornate. British Museum

Combs of this type go back to the Late Roman period, but they really came into their own in the Viking Age, where they became a symbol of status and aspiration. Combmakers tended to work in towns, where they had access to periodic markets and a supply network that brought in deer antler from the local countryside, and reindeer antler from the Arctic north. They may also have moved around from town to town, in order to maximise their sales. It’s a great example of the way town, countryside, and long-distance travel were tied together in order to support the technology that was important to the everyday life of Viking-Age people.

These examples of craftmanship and technical tool work – and there are many more – demonstrate that the Vikings should be seen as more than just raiders, and more more than simple traders or merchants too. With their outward-looking society and cutting edge techniques, they were among the earliest investors in global technologies in a post-Roman world that, even then, was increasingly international. And today, as a modern recreation of a Viking vessel embarks for the first ever Viking exhibition in China, it’s clear their appeal is truly global.

We need to rethink the relationship between forensic science and the law

Advances in science are causing problems in courtrooms Petretei

Despite what we see on television, forensic science is not always easy to understand or simple to convey to a jury, many of whom may not have studied science since they were in school. When a case fails in the courtroom, maybe because the scientist was inexperienced, or there were flaws in the science presented, it creates the potential for a miscarriage of justice – something to be avoided at all costs.

This was illustrated recently in a violent crime case in the US when a court refused to grant admissibility to a particular type of DNA evidence because its interpretation had not yet been agreed within the scientific community and it was too complex for the jury to understand.

The judge told the court:

To have a technique that is so controversial that the community of scientists who are experts in the field can’t agree on it and then to throw it in front of a lay jury and expect them to be able to make sense of it, is just the opposite of what the [rules on admissibility of evidence are] all about.

Indeed, why should we expect lawyers or the public to understand science? The courtroom is a place where language can become severely challenging, where what is said may be at odds with what is heard. This is a particular issue for some types of evidence that rely, for example, on complex statistical analysis.

Both the scientist and the court have a duty to ensure that each party does their utmost to ensure that the jury understands the capabilities and limitations of any science presented to them. The scientists must be able to convey their often complex subject as simply as possible. Only then will the lawyers and judge be able to guide the jury to reach a secure and informed decision.

The limits of scientific influence

One core problem is that the scientist and the lawyer rarely meet before any courtroom confrontation. And the idea that a scientist might offer advice to a judge outside of the courtroom is almost uncharted territory in the UK.

Yet it is the trial judge who must decide whether there is sufficient robust underpinning in scientific evidence to let it be heard by the jury. They have to be sufficiently confident that the science establishes the fact in question and will withstand reasonable cross-examination that will assist the triers of fact.

Without training, how comfortable can the judge be to adopt this role – especially in complex cases such as those involving the interpretation of mixed-DNA profiles?

If the judiciary feel unable to do this, perhaps the scientist must assume the responsibility of teacher to convey the complexity of their science in a way that will be understood.

A better way forward

The reality is that the courtroom is the place where lawyers should be examining the case-specific science and not the basic underpinning value of the overarching scientific subject. The courtroom is not the classroom, so the time for teaching is during the preparatory stages before the business of testimony and evidence gets underway.

If all the scientific limitations could be agreed beforehand, this would leave only the details that relate to the case and the interpretation of the case-specific evidence to be addressed in the court.

The Lord Chief Justice of England and Wales last autumn called for a set of judicial primers, pieces of “plain English” that will relay core scientific principles in a way that is understandable by lawyer, judge and jury. He reiterated this call recently at a meeting hosted by the Royal Society in London that was agreed as a priority first step towards disrupting the communication logjam.

Another issue is our understanding of the scientific limitations. The US National Academy of Science published a report in 2009 that was a damning indictment of the lack of investment in forensic research and the shaky nature of basic scientific underpinning in most forensic sciences.

National Academy of Science has bemoaned the state of forensic science NAS

In the past 30 years the lion’s share of funding has been consumed by advances in DNA, while other subjects have suffered, be they trace evidence (such as hairs and fibres), ballistics, blood patterns or fires and explosions. This has meant that core research gaps in our knowledge remain.

A global strategic approach aiming to improve basic scientific underpinning must also lie at the core of any future advance to provide better science to the courts. This is vital for the health of the subject and in turn can only benefit justice in the long term.

In short, scientists must come together in partnership with the law and funders to ensure a product that is fit for purpose. This requires greater co-ordination and understanding between two ancient academic disciplines who have rarely been easy bedfellows: law and science.

Lifetimes of misunderstanding have built up around their gladiatorial arena and they no longer seem to speak a common language. It is time for a paradigm shift in their relationship, geared towards addressing areas of common and competing ground, talking about science in plain English and agreeing where the current research gaps exist and how we are best placed to fill them.

Eye tracking is the next frontier of human-computer interaction

Eyes are the windows to the soul, and perhaps an extra pair of hands too. arosoft/Shutterstock

Eye tracking devices sound a lot more like expensive pieces of scientific research equipment than joysticks – yet if the latest announcements about the latest Assassin’s Creed game are anything to go by, eye tracking will become a commonplace feature of how we interact with computers, and particularly games.

Eye trackers provide computers with a user’s gaze position in real time by tracking the position of their pupils. The trackers can either be worn directly on the user’s face, like glasses, or placed in front of them, such as beneath a computer monitor for example.

Eye trackers are usually composed of cameras and infrared lights to illuminate the eyes. Although it’s invisible to the human eye, the cameras can use infrared light to generate a grayscale image in which the pupil is easily recognisable. From the position of the pupil in the image, the eye tracker’s software can work out where the user’s gaze is directed – whether that’s on a computer screen or looking out into the world.

But what’s the use? Well, our eyes can reveal a lot about a person’s intentions, thoughts and actions, as they are good indicators of what we’re interested in. In our interactions with others we often subconsciously pick up on cues that the eyes give away. So it’s possible to gather this unconscious information and use it in order to get a better understanding of what the user is thinking, their interests and habits, or to enhance the interaction between them and the computer they’re using.

Practical uses outside the lab

There are lots of useful applications. For example, in marketing and usability studies, eye trackers are commonly used to study the impact of an advertising campaign or the design of a website. For people who cannot use their arms or are completely paralysed, eye tracking can be used to operate a computer or speech synthesiser: eye-based applications allow them to move a mouse cursor and spell out sentences using only their eyes.

Other more futuristic-sounding applications have been explored, such as appliances that listen to your commands when you look at them: imagine speaking “on” and “off” commands to your lamp, your hi-fi system or your television, which until you looked at them had been in standby. Other examples include automatic scrolling when you have reached the bottom of a screen of text, or automatic pausing of a movie if you look away.

While there are uses for eye tracking in industry and among researchers, firms are now looking seriously at how to make them useful for the general public. Tobii – the same firm that brought us pizza ordering by mind control – recently launched a consumer-priced remote eye tracker, the Tobii EyeX (US$139) with the aim of encouraging games developers to build eye tracking support into their products. For comparison, research lab-grade eye trackers cost around US$20,000.

Another large eye tracking company, SMI, has announced a partnership with Sony to integrate eye-tracking into games for the PlayStation 4.

Interactivity at the cutting edge

There’s a lot of potential for eye tracking in video games. For example, in the popular first-person view (“3D shooter”) style of games, eye tracking can be used to automatically pan the screen to where the player is looking, replacing a task usually performed by the mouse. The eyes can be used to target weapons, too.

One of the most interesting applications is interaction with game characters. When using eye tracking video game characters can be made to react to the player’s gaze the same way a human would. Imagine entering a shop and letting your eyes rest on a sword you find interesting: the merchant could tell you directly about this item, making the interaction that bit more real. Or a character might get upset if, instead of looking at him while he’s talking, you eyes rest on his wife. The eyes are very powerful means of nonverbal communication. Implementing human-like reactions in virtual characters could mean a whole new level of immersion in video games.

Beyond games, there is another range of applications where eye tracking is becoming a hot topic: smart glasses. Because of its shape, a lot of people think Google Glass also tracks the eyes, but it doesn’t. But it wouldn’t be surprising to see the next generation of smart glasses including eye tracking capabilities. This could provide further ways of interacting with the head-up display projected onto the glasses, adding automatic scrolling and navigation that leaves the wearer’s hands free instead of having to use the manual control.

There’s already an eye tracking upgrade for the Oculus Rift virtual reality headset. If users are willing to wear something on their heads, why not add an eye tracker too and enhance interaction using all that information that’s being given away by the eyes? Using the eyes as a tool opens up the possibility for more natural, subtle interaction.

Upgrade to core HTTP protocol promises speedier, easier web

Now with added "2". Download Now/Shutterstock

Hypertext Transfer Protocol, HTTP, is a key component of the world wide web. It is the communications layer through which web browsers request web pages from web servers and with which web servers respond with the contents of the page. Like much of the internet it’s been around for decades, but a recent announcement reveals that HTTP/2, the first major update in 15 years, is about to arrive.

The original HTTP protocol was the protocol first used by Sir Tim Berners-Lee at CERN where the web was created in 1991. This was improved over many years and finalised as HTTP 1.1 in 1999, the current standard used worldwide. Over the years the web has changed dramatically, introducing images, complex style sheets and Javascript code, Flash and other embedded elements and more. The original HTTP was a simple protocol for a simple web, it was not designed to handle increasingly media-rich websites.

For example, Google handles 40,000 web searches per second every day. To handle the pressure of serving billions of internet users, the company’s technicians launched a project in 2009 called SPDY (pronounced “speedy”) to improve HTTP. Originally only for internal use, other sites fielding heavy traffic such as Twitter, Facebook, Wordpress and CloudFlare also implemented SPDY having seen its performance improvements.

This caught the attention of the Internet Engineering Task Force (IETF), which develops and promotes internet standards. IETF decided to use SPDY as the basis for HTTP/2 in 2012 – and the two protocols were developed in parallel. Even though Google spearheaded the protocol’s development, the work is continued by the IETF’s open working groups as it has done for other protocols for more than 30 years.

Google recently announced it was dropping SPDY in favour of the soon-to-arrive HTTP/2.

The drawbacks of HTTP 1.1

Web pages today can generate many requests for images, CSS style sheets, video and other embedded objects, off-site adverts, and so on – perhaps a hundred of these per page. This adds unnecessary strain to the web server and slows the web page loading time because HTTP 1.1 only supports one request per connection.

HTTP 1.1 is sensitive to high latency connections – those with a slow response time. This can be a big problem when working on a mobile device using cellular networks, where even a high-speed connection can feel slow. HTTP pipelining allows the browser to send another request while waiting for the response of a previous request. While this would go some way to tackling high latency, it is susceptible to problems of its own and is disabled by default in most browsers.

The benefits of HTTP/2

Rather than using clear text, HTTP/2 is now a binary protocol which is quicker to parse and more compact in transmission. While HTTP 1.1 had four different ways to handle a message, HTTP/2 reduces this to one. To tackle the multiple request issue HTTP/2 allows only one connection per site but using stream multiplexing fits many requests into a single connection. These streams are also bi-directional, which allows both the web server and browser to transmit within a single connection. Each stream can be prioritised, so browsers are able to determine which image is the most important, or prioritise a new set of streams when you change between browser tabs.

HTTP is a stateless protocol – every connection comprises a request-response pair unconnected to any connections before or after. This means every request must also include any relevant data about the connection – this is sent in HTTP headers. As HTTP 1.1 evolved, the headers have grown larger as they incorporate new features. HTTP/2 uses header compression to shrink this overhead and speed up the connection, while improving security.

A final addition is server push. When a web page is requested, the server sends back the page, but must wait for the web browser to parse the page’s HTML and issue further requests for things it find in the code, such as images. Server push allows the server to send all the resources associated with a page when the page is requested, without waiting. This will cut a lot of the latency associated with web connections.

Web version 2?

Once web servers and web browsers start implementing HTP/2 – which could be as soon as a few weeks from now – the web-browsing experience will feel quicker and more responsive. It will also make developers' lives easier by not having to work around the limitations of HTTP 1.1.

In fact, some of the latest versions of popular browsers (Firefox v36, Chrome v40 and Internet Explorer v11) already support HTTP/2. For Chrome and Firefox, HTTP/2 will be used only over encrypted connections (SSL) – this, along with the Let’s Encrypt initiative, will probably boost the adoption of encryption more widely.