Why do web browsers not support h2c (HTTP/2 without TLS)? - McMap

About

Why do web browsers not support h2c (HTTP/2 without TLS)?

Asked 17/10, 2017 at 11:19 Answered 17/10, 2017 at 11:35

C

1

49

I really search the web, and I can not find the reason why web browsers do not support h2c (http/2 with no TLS). Any idea, appreciated.

A little bit clarification http/2 with https uses ALPN (this is called h2). http/2 with http does not need ALPN(this is called h2c), but almost no web browser support it. Why is so?

I feel that for many resources, there is no need for confidentiality though authenticity is always good (the digital signature of the http body is not widely supported though there are some private implementations). Given confidentiality is not needed, then h2c is really a good thing to have.

Coastwise answered 17/10, 2017 at 11:19 Comment(2)

Dupe #34076731 -- but new answer is longer. – Inartistic 18/10, 2017 at 13:50

man, I can't even remember my own answers... ! – Heterodoxy 18/10, 2017 at 21:9

H

61

Technically

There are several technical reasons why HTTP/2 is much better and easier to handle over HTTPS:

Doing HTTP/2 negotiation in TLS with ALPN is much easier and doesn't lose round-trips like Upgrade: in plain HTTP does. And it doesn't suffer from the upgrade problem on POST that you get with plain-text HTTP/2.
N% of the web doesn't support unsolicited Upgrade: h2cheaders in requests and instead respond with 400 errors.
Doing something else than HTTP/1.1 over TCP port 80 breaks in Y% of the cases since the world is full of middle-boxes that "help" out and replace/add things in-stream for such connections. If that then isn't HTTP/1.1, things break (this is also why brotli for example also requires HTTPS).

Ideologically

There's a push for more HTTPS on the web that is shared by and worked on in part by some of the larger web browser developer teams. That makes it considered a bonus if features are implemented HTTPS-only as they then work as yet another motivation for sites and services to move over to HTTPS. Thus, some teams never tried very hard (if at all) to make HTTP/2 work without TLS.

Practically

At least one browser vendor expressed its intention early on to implement and provide HTTP/2 for users done over plain-text HTTP (h2c). They ended up never doing this because of technical obstacles as mentioned above.

Heterodoxy answered 17/10, 2017 at 11:35 Comment(4)

Ok, but what for local networks? I have a router and would like to open it's admin panel on 192.168.1.1 so the router can't have any valid TLS certificate except of self-signed which my browser will reject. – Estonian 6/12, 2018 at 22:26

@stokito Even on local networks, browsers have no prior knowledge of whether a request might be going through a legacy proxy that breaks new features. Websockets and brotli compression also benefit from TLS for similar reasons of being hidden from intermediate servers. Indeed, browsers won't request brotli compression without TLS either (as Daniel mentioned in his answer). Think of TLS as privacy from incompetence as well as malicious behaviour. – Hasbeen 20/3, 2019 at 2:48

@stokito You can still put a real certificate on your router. Just set up a hosts file entry in your client pc for something like router.example.com on your local pc. Then get a LetsEncrypt or similar certificate for that name. If you get a wildcard certificate like *.example.com, you don't even have to expose the router name to the public. – Cosher 5/4, 2019 at 14:44

@Hasbeen : Love the view of TLS as privacy from incompetence! – Bundy 19/9, 2023 at 14:7

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.