| Website | https://lucaspardue.com |
To help find relevant RFCs no matter what your network connectivity, https://rfc.fyi now implements a service worker that caches the data locally for offline use, and can be installed as a Progressive Web app (PWA) -- i.e., you can install it to your iOS or Android home screen.
Note that it still points to online-only RFCs at the RFC Editor site.
Back in November 2025, when doing tests of C4 on a loopback address, I observed that C4 achieved lower data rates than Cubic or even BBR. Since “performance under loopback” was not a high priority scenario, I filed that in the long pile of issues to deal with later. Then, in early January 2026, I read a preprint of a paper by Kathrin Elmenhorst and Nils Aschenbruck titled “2BRobust – Overcoming TCP BBR Performance Degradation in Virtual Machines under CPU Contention” (see: https://arxiv.org/abs/2601.05665). In that paper, they point out that BBR achieves lower than nominal performance when running on VMs under high CPU load, and trace that to pacing issues. Pacing in an application process involves periodically waiting until the pacing system acquires enough tokens. If the CPU is highly loaded, the system call can take longer than the specified maximum wait time, and pacing thus slows the connection more than expected. In such conditions, they suggest increasing the programmed pacing rate above the nominal rate, and show that it helps performance.
HTTP/2-based DoS attacks are here to stay. Many implementations are hardened to them. Quirky behaviour can trigger defenses and cause ENHANCE_YOUR_CALM.
Read one of my latest trips down a debugging rabbit hole.
HTTP/2 implementations often respond to suspected attacks by closing the connection with an ENHANCE_YOUR_CALM error code. Learn how a common pattern of using Go's HTTP/2 client can lead to unintended errors and the solution to avoiding them.
About 6 months ago Louis Navarre reached out to report some DoS-related vulnerabilities in quiche's ack processing. We fixed it up and saw no evidence that the vulnerabilities had been exploited. Check out the deep dive blog post:
https://blog.cloudflare.com/defending-quic-from-acknowledgement-based-ddos-attacks/
We identified and patched two DDoS vulnerabilities in our QUIC implementation related to packet acknowledgements. Cloudflare customers were not affected. We examine the "Optimistic ACK" attack vector and our solution, which dynamically skips packet numbers to validate client behavior.
This adds (1) HTTP/3 proxy CONNECT support and (2) MASQUE CONNECT-UDP support for OpenSSL QUIC stack. Usage: curl -k -4 --http1.1 --proxy-insecure --proxytunnel --proxy-http3 --proxy https://<p...
Hot off the press, happy to announce the adoption and publication of https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-unencoded-digest-00
The world of HTTP content negotiation can be a bit brain melting at times. RFC 9530 brought concepts of digests (i.e. hashing) up to date with our latest defintions of HTTP message semantics in RFC9110.
Unencoded Digest is one of the missing pieces for certain use cases like the W3C signature-based integrity work. Helping to cover cases where encoding and transform independence are paramount.
The Repr-Digest and Content-Digest integrity fields are subject to HTTP content coding considerations. There are some use cases that benefit from the unambiguous exchange of integrity digests of unencoded representation. The Unencoded-Digest and Want-Unencoded- Digest fields complement existing integrity fields for this purpose.
Using Internet standards to improve the the way automed traffic / bots can interact with the world. Namely two methods: HTTP Signatures (RFC 9421) and req mTLS flag (draft-jhoyla-req-mtls-flag)
AI slop has gotta stop.
Hysterical* thing with this bullshit report to curl's hackerone (https://hackerone.com/reports/3125832) "HTTP/3 Stream Dependency Cycle Exploit" is we took great pains to standardize a priortization scheme that entirely did away with stream dependencies.
* not the jovial definition
**Penetration Testing Report: HTTP/3 Stream Dependency Cycle Exploit** --- # **0x00 Overview** A novel exploit leveraging stream dependency cycles in the HTTP/3 protocol stack was discovered, resulting in memory corruption and potential denial-of-service or remote code execution scenarios when used against HTTP/3-capable clients such as `curl` (tested on version 8.13.0). This report details...
Mark Nottingham
Christian Huitema
daniel:// stenberg://
