HTTP 2.0 wins approval: Road to better encryption?

A revision to the HTTP standard that governs the way Web pages load has been approved. Faster pages are nice, but in practice encryption is likely to improve.

The HTTP standard is getting an overhaul and while faster Web pages are a big win for the first major revision since 1999 better encryption may have a more lasting impact.

Special Feature

Security and Privacy: New Challenges

As big data, the IoT, and social media spread their wings, they bring new challenges to information security and user privacy.

Read More

In a blog post, Mark Nottingham, chairman of the IETF working group behind creating the standards, said the HTTP 2.0 specifications have been formally approved. From here, the specs go through a request for comment phase and then published.

HTTP, or Hyptertext Transfer Protocol, is one of the standards that makes the Web tick. In a nutshell, HTTP allows a browser to connect with a Web server to load a page. HTTP 2.0 is promising faster loading speed.

As CNET noted, the HTTP 2.0 standard is based on SPDY, which was introduced by Google and adopted by other browsers. That HTTP 2.0 originated from a Google protocol has caused some consternation.

In the long run, speed is likely to be the No. 2 advance from HTTP 2.0. Encryption in HTTP 2.0 will mean fewer attacks and overall snooping. Technically, HTTP 2.0 doesn't require better encryption, but Mozilla and Google won't support the standard without it. Add it up and HTTP 2.0 will bring encryption. Anyone adopting HTTP 2.0 will need to support Transport Layer Security to interoperate with a wide range of browsers.

Nottingham noted in a blog post last year:

HTTP/2 doesn't require you to use TLS (the standard form of SSL, the Web's encryption layer), but its higher performance makes using encryption easier, since it reduces the impact on how fast your site seems.

In fact, many people believe that the only safe way to deploy the new protocol on the "open" Internet is to use encryption; Firefox and Chrome have said that they'll only support HTTP/2 using TLS.

They have two reasons for this. One is that deploying a new version of HTTP across the Internet is hard, because a lot of "middleboxes" like proxies and firewalls assume that HTTP/1 won't ever change, and they can introduce interoperability and even security problems if they try to interpret a HTTP/2 connection.

The other is that the Web is an increasingly dangerous place, and using more encryption is one way to mitigate a number of threats. By using HTTP/2 as a carrot for sites to use TLS, they're hoping that the overall security of the Web will improve.