Verizon, Cisco, Microsoft And Others Pull The Plug On Default Encryption In HTTP/2

News
By Lucian Armasu
published

The HTTP/2 standard, the successor to HTTP/1.1, has recently been finalized by the Internet Engineering Task Force (IETF), and now all browsers and servers are free to use it. The HTTP/2 protocol initially started as a Google project called SPDY, which was encrypted by default, and it later entered the standardization process at IETF, so all browsers can start using it.

Unfortunately, despite the protocol's initial promise to be encrypted-only, the Open Web Alliance group, formed by companies such as Verizon, Comcast, Cisco, DISH, Microsoft and others, managed to fight against that plan in the last few months of the protocol's standardization process, making encryption optional. (You can learn more about the Open Web Alliance in this InfoWorld article.)

This happened despite an almost unanimous consensus of IETF in the fall of 2013 (post-Snowden revelations) that it will try to bring an Internet where everything is encrypted by default (see video below). 

Through the lobbying power of the Open Web Alliance group and through well-placed members inside of IETF as co-chairs from companies such as Cisco, and even from agencies such as the NSA, the IETF organization eventually lost consensus for mandating that all HTTP/2 connections be secure by default.

The ones who had the most to gain from this are the telecom companies, which have recently started injecting ads into their customers browsing to make some extra revenue, despite already being paid more than reasonably well for their Internet connection services. Some of these companies have backtracked somewhat from doing this, in the sense that their tracking and ad-injection is optional, but still requires an opt-out; meaning, it's enabled by default for all customers.

Even if they had backtracked completely due to the recent PR scandals about these issues, the damage to the HTTP/2 protocol is already done, because it's unlikely that there will be an updated version that mandates encryption anytime soon. The previous version of the HTTP protocol came out in 1999, which is 16 years ago.

Fortunately, the browsers that have adopted it so far, such as Chrome and Firefox, are only enabling the encrypted version of HTTP/2. In these browsers, there won't be an option to use the HTTP/2 protocol without encryption, at least for now.

Despite Microsoft being part of the group that opposed mandatory encryption in HTTP/2, the Internet Explorer (IE) browser that comes with Windows 10 right now only has the encrypted version of HTTP/2 as well. However, Windows 10 is still in preview mode, and we haven't seen Project Spartan yet. So it remains to be seen if Microsoft will keep the encrypted-only HTTP/2 or adopt the plain-text one as well in the final versions of IE browsers. If Microsoft wants IE to be seen as secure as Chrome and Firefox, then hopefully the company will support only the encrypted version of HTTP/2.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
12 Comments Comment from the forums
  • Darkk
    Only way this would ever gain serious traction if entire internet is encrypted as default. Most mail servers make encryption as priority.
    Reply
  • Revoe
    Just like their promise to encrypt Android 5/L by default...
    Reply
  • Onus
    If my browsing were interrupted by an ad page, I would likely become enraged.
    Reply
  • Achoo22
    Onus said:
    If my browsing were interrupted by an ad page, I would likely become enraged.
    It's more subtle than that, for better or worse. My current ISP, Windstream, did and/or does redirect searches through the Firefox toolbar and also 404 (page not found) pages to their own search thingy that happened to include advertisements. This would happen regardless of your DNS settings, because they are/were using DPI (deep packet inspection) and MITM (man-in-the-middle) attacks.
    Reply
  • Kewlx25
    15431903 said:
    Onus said:
    If my browsing were interrupted by an ad page, I would likely become enraged.
    It's more subtle than that, for better or worse. My current ISP, Windstream, did and/or does redirect searches through the Firefox toolbar and also 404 (page not found) pages to their own search thingy that happened to include advertisements. This would happen regardless of your DNS settings, because they are/were using DPI (deep packet inspection) and MITM (man-in-the-middle) attacks.

    http://test.dnssec-or-not.com/

    I check boxed DNSSEC to be enabled on my network.
    Reply
  • Snur
    you are so naive!!!! The only reason Google and Facebook want encrypted traffic is so they will be the only ones knowing what you are looking at, and inject personalized adds, No one can compete with them if the content is encrypted!!
    They are not interested at all to protect your privacy, on the contrary - they are very brutally invading it for their add insertion.....
    Reply
  • amk-aka-Phantom
    The only reason Google and Facebook want encrypted traffic is so they will be the only ones knowing what you are looking at, and inject personalized adds

    ... I don't think you really understand how encryption works.
    Reply
  • Pherule
    This is appalling news. All these major companies making such a stupid decision. Let's hope Chrome and Firefox unanimously decide to only allow the secure protocol. Google has the power to fight this, blacklist and/or DDOS any website that allows the unsecure protocol. Webmasters will quickly learn.
    Reply
  • yumri
    Google has the power to fight this, blacklist and/or DDOS any website that allows the unsecure protocol. Webmasters will quickly learn.
    I do not think Google will DDOS any website as much as just block it outright as they can just remove it from the index directly so why DDOS anything if you can just remove the indexed location so others cannot find it in the first place?
    WIth Google fighting it i think in the forum they will fight for it as it seems to be the fest for them and their tracking systems to be able to do so with how the search engine is set up atm they will have to do it through insecure channels to present you with better personalized web results instead of any random thing that they think you are looking for. To that though they will just have to change a few lines of code with how it is routed to make it comply with HTTP/2 encryption while still tracking your searches so they can feed you what you want to see and not so much of what you do not want to see.
    This is the down side to HTTP/2 the changes to the end side to allow them to keep on doing the tracking that they already are while just not allowing anyone else to do so. Yes i know we do not like the ad injection by ISPs and/or whoever else does it but would you rather just have them asking every other company for it ?
    There is always a way to legally jump through hoops to get the information that they want HTTP/2 will just make it harder for them to track you is all ... also harder for a actual hacker to intercept what you are doing and access your personal information.
    Reply
  • alextheblue
    None of this really matters if the encryption isn't very strong and most importantly, not already compromised. I wouldn't count on it. It's probably good enough to make the sheep feel safe again for a while, though.
    Reply