Now that the HTTP/2 specification has been formally approved, it seems that the Web has two choices when it comes to replacing HTTP: HTTP/2 or HTTP Secure (HTTPS).
HTTPS is a protocol designed to improve encryption and communications across the Web. The Electronic Frontier Foundation (EFF), along with a group of technology organizations and researchers, are working to easily transition the Web from HTTP to HTTPS through its Let’s Encrypt initiative.
“We would like to see the vast majority of Web traffic use HTTPS instead of unencrypted HTTP. It’s why we exist,” said Josh Aas, executive director of the Internet Security Research Group (ISRG), a nonprofit organization managing the Let’s Encrypt initiative.
Both protocols have one thing in common: replacing HTTP. Although the HTTP protocol has been widely used, it is insecure and leaves the Web vulnerable, according to the EFF. So the question now is, which protocol—HTTPS or HTTP/2—will better serve the Web?
“HTTPS and HTTP/2 aren’t competing protocols. We need them both,” said Patrick McManus, platform engineer at Mozilla, which is an implementer of HTTP/2.
While HTTPS is meant to replace HTTP, it is technically not a protocol and is meant to add more security to HTTP. “Any version of HTTP secured with the Transport Layer Security (TLS) encryption protocol can be called HTTPS,” said McManus. “You can have HTTP/1 or HTTP/2 over TLS, and in both cases you can call the result HTTPS. This being the case, HTTP/2 doesn’t really compare to HTTPS; it’s simply able to run over HTTPS.”
According to Aas, the HTTP/2 specification doesn’t require encryption, but major implementations will. Firefox will require HTTP/2 to run over TLS, thus resulting in HTTPS.
“New technology should be built on engineering best practices, and using secure communications channels is definitely a best practice that serves our users well,” McManus said.
Let’s Encrypt, which is scheduled to launch in the middle of this year, is also working on making it easier to require encryption for HTTP/2.
“Let’s Encrypt will offer free certificates through an easy-to-use automated system, making it easier to deploy encryption via TLS, and thus HTTP/2,” Aas said. “Reducing cost and complexity is important if we’re going to require encryption for a technology that will become a fundamental part of the Web.”
HTTP/2 was developed with HTTP/1 compatibility, so servers and browsers can offer HTTP/2 support without having to make any changes to Web content, according to McManus.
More information about Web encryption is available here.