Why do browser implementations of HTTP/2 require TLS? - McMap

About

Why do browser implementations of HTTP/2 require TLS?

Asked 3/12, 2015 at 21:12 Answered 26/12, 2015 at 22:48

Solved google-chrome http firefox http2

O

1

22

Why does most modern browsers require TLS for HTTP2?

Is there a technical reason behind this? Or simply just to make the web more secure?

http://caniuse.com/#feat=http2

Octastyle answered 3/12, 2015 at 21:12 Comment(2)

"Although the standard itself does not require usage of encryption, most client implementations (Firefox, Chrome, Safari, Opera, IE, Edge) have stated that they will only support HTTP/2 over TLS" – Feral 3/12, 2015 at 21:15

youtube.com/watch?v=r5oT_2ndjms – Rodmun 3/12, 2015 at 21:18

T

30

It is partly about making more things use HTTPS and encourage users and servers to go HTTPS. Both Firefox and Chrome developers have stated this to be generally good. For the sake of users and users' security and privacy.

It is also about broken "middle boxes" deployed on the Internet that assume TCP traffic over port 80 (that might look like HTTP/1.1) means HTTP/1.1 and then they will interfere in order to "improve" or filter the traffic in some way. Doing HTTP/2 clear text over such networks end up with a much worse success rate. Insisting on encryption makes those middle boxes never get the chance to mess up the traffic.

Further, there are a certain percentage of deployed HTTP/1.1 servers that will return an error response to an Upgrade: with an unknown protocol (such as "h2c", which is HTTP/2 in clear text) which also would complicate an implementation in a widely used browser. Doing the negotiation over HTTPS is much less error prone as "not supporting it" simply means switching down to the safe old HTTP/1.1 approach.

Traditional answered 26/12, 2015 at 22:48 Comment(3)

Security is only one reason for enforcing HTTPs. The other being that it centralizes the Internet in their hands, as through the CAs browser vendors will be able to dictate who will be able to publicize. Sites serving unwanted content will have their certificates revoked and can't switch back to plain text after it has been phased out. – Recollection 3/10, 2023 at 17:30

@Recollection How so? A user can always choose to override the unknown CA warning and there is the possibility of using Lets Encrypt's open CA. – Bless 8/11, 2023 at 20:25

@PeterB That's not a valid argument. First, having the user override the warning is not practical, and second, it's highly likely that browser vendors will take even that away once they feel the time is right to ram it through. Let's Encrypt is doing a great job, but they are also part of the problem because they are a single point of failure. In any case, CAs have very little freedom. They have to follow the rules set out by the CA/B forum, which basically is Google, and Chrome has won the second browser war. Whatever policy they code into it becoms a de-facto standard. – Recollection 9/11, 2023 at 9:53

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.