The approval of HTTP/2 by the Internet Engineering Steering Group (IESG) back in mid-February marked the next major version of the network protocol used by the web. HTTP/2 is based on Google’s protocol SPDY; the most recent standard that was implemented on Chrome, Firefox, Opera, Safari, and other browsers. The goal of HTTP/2 is to allow client/servers to choose a protocol, maintain compatibility with HTTP/1.1, decrease page load latency and support common existing uses of HTTP.
So how will HTTP/2 affect Internet security?
The IETF has not Transport Layer Security (TLS) mandatory to implement HTTP/2. The HTTP/2 specification explains how to use it in both clear text and TLS. But, both Google and Mozilla development teams have announced their intention to support HTTP/2 over TLS only. And, while Microsoft has yet to announce anything officially, test versions of Internet Explorer on the new Windows 10 have shown that Microsoft has made the same decision. All of which makes HTTP/2 effectively mandatory.
If you want to maximize the benefits of HTTP/2 then you should consider implementing it with TLS. HTTP/2 has specific TLS requirements and will be using a safer implementation of TLS. The specification requires TLS version 1.2 or higher, forbids compression and renegotiation, and has strict requirements for key sizes and cipher suite. Here is a summary of HTTP/2’s TLS features/recommendations for browsers and individual users:
HTTP/2 also requires the use of Application-Layer Protocol Negotiation Extension (ALPN) per RFC 7301, a TLS extension that efficiently negotiates the HTTP version.
The moral of the story is this — HTTP/2 will be faster and safer. If you want to take advantage of reduced page latency, provide privacy, and keep your users’ data secure, consider implementing HTTP/2 with TLS.
For more information on HTTP/2, review http2 explained.
Update July 14, 2015: Apple will support HTTP/2 in iOS9 and OS X 10.11 and will require HTTP/2 be used over an encrypted TLS connection.