03-05-2015

Welcome to the Web, HTTP/2

With the IETF's recent approval of the HTTP/2 protocol, major browsers and technology experts are hyped about the benefits of a new and improved protocol. HTTP 1.0 has been around since 1999 and, like any sixteen year-old, it’s starting to act up. Although most Internet users are blaming Comcast when they have a slow connection, experts know that the first HTTP protocol is outdated and needs to be replaced in order to improve Internet connectivity. Enter HTTP/2—a new protocol expected to improve not only the speed of the Internet but also improve Internet security.

HTTP/2 Brings Faster Internet

HTTP/2 will use much of the innovation that was included in Google's protocol SPDY (pronounced speedy; pun intended). While Google has announced that they will stop supporting their own protocol SPDY in order to contribute to HTTP/2, some of the major developments from SPDY will contribute to HTTP/2 and the speed of the new protocol. As Engadget reported, Internet transfer speeds are expected to increase by more than 20% with HTTP/2. Some users say that even a 30% increase in speed is common. These increased transfer speeds are the result of several changes and improvements to the protocol.

1. HTTP/2 improves the speed of Internet transfers mainly by utilizing only one connection between the browser and the server. This will significantly decrease the time of each Internet connection because browsers and servers will not have to create new connections every time a request is sent.

2. HTTP/2 uses multiplexing. Multiplexing will allow browsers to send multiple requests to the server at a time. One of the main problems with HTTP 1.0—a problem that not even HTTP 1.1 could resolve—was the "head-of-line blocking" which only allowed a single request to be sent to a server at a time.

3. HTTP/2 deploys server push. Instead of the browser-server exchange that existed with HTTP 1.0 (browser to server back to browser, etc.), server push will seek to avoid this back-and-forth by first providing the information the server needs. This will save time on each browser request.

Other notable changes that will improve Internet connection speeds are HTTP/2 becoming a binary protocol (instead of textual), and HTTP/2 using header compression to reduce overhead.

How Encryption Fits into HTTP/2

Despite all improvements that HTTP/2 will do for Internet connection speed, the IETF Working Group has thus far neglected to require encryption for the new protocol. According to this statement by Mark Nottingham, chair of the IETF HTTP Working Group, "HTTP/2 doesn’t require you to use TLS (the standard form of SSL, the Web’s encryption layer), but its higher performance makes using encryption easier, since it reduces the impact on how fast your site seems." Yet, even with this prediction, major browsers such as Google Chrome and Mozilla Firefox have claimed that they will only support HTTP/2 with TLS.

Admins should note that while HTTP/2 does not yet require TLS, there are new requirements for when TLS is in use. The spec from the Working Group states that, "Implementations of HTTP/2 MUST use TLS [TLS12] version 1.2 or higher for HTTP/2 over TLS." This requirement will improve the standard of Internet security and encourage admins to update their certificates to the highest TLS protocols.

Another important requirement for HTTP/2 over TLS is that "TLS implementation MUST support the Server Name Indication (SNI)." SNI, already supported by newer browsers, improves the efficiency of SSL Certificates to verify multiple domains.

While the hype for HTTP/2 is great and the promises of a better Internet even greater, the need for encryption should still be a top security priority for all Internet users. As browsers integrate the HTTP/2 protocol, site owners should continue to verify that their SSL Certificates are compliant with the new protocol, and site visitors should continue to trust only sites that are certified by a trusted Certificate Authority.

UP NEXT

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

Featured Stories

VMC Blog Featured Image

Getting Your Logo in Your User's Inbox: Tips Learned from the VMC Gmail Pilot

What Makes Digital Signatures Secure

How Vaccine Passports Could Change Digital Identity