Skip to main content

Verizon, Cisco, Microsoft And Others Pull The Plug On Default Encryption In HTTP/2

The HTTP/2 standard, the successor to HTTP/1.1, has recently been finalized by the Internet Engineering Task Force (IETF), and now all browsers and servers are free to use it. The HTTP/2 protocol initially started as a Google project called SPDY, which was encrypted by default, and it later entered the standardization process at IETF, so all browsers can start using it.

Unfortunately, despite the protocol's initial promise to be encrypted-only, the Open Web Alliance group, formed by companies such as Verizon, Comcast, Cisco, DISH, Microsoft and others, managed to fight against that plan in the last few months of the protocol's standardization process, making encryption optional. (You can learn more about the Open Web Alliance in this InfoWorld article.)

This happened despite an almost unanimous consensus of IETF in the fall of 2013 (post-Snowden revelations) that it will try to bring an Internet where everything is encrypted by default (see video below). 

Through the lobbying power of the Open Web Alliance group and through well-placed members inside of IETF as co-chairs from companies such as Cisco, and even from agencies such as the NSA, the IETF organization eventually lost consensus for mandating that all HTTP/2 connections be secure by default.

The ones who had the most to gain from this are the telecom companies, which have recently started injecting ads into their customers browsing to make some extra revenue, despite already being paid more than reasonably well for their Internet connection services. Some of these companies have backtracked somewhat from doing this, in the sense that their tracking and ad-injection is optional, but still requires an opt-out; meaning, it's enabled by default for all customers.

Even if they had backtracked completely due to the recent PR scandals about these issues, the damage to the HTTP/2 protocol is already done, because it's unlikely that there will be an updated version that mandates encryption anytime soon. The previous version of the HTTP protocol came out in 1999, which is 16 years ago.

Fortunately, the browsers that have adopted it so far, such as Chrome and Firefox, are only enabling the encrypted version of HTTP/2. In these browsers, there won't be an option to use the HTTP/2 protocol without encryption, at least for now.

Despite Microsoft being part of the group that opposed mandatory encryption in HTTP/2, the Internet Explorer (IE) browser that comes with Windows 10 right now only has the encrypted version of HTTP/2 as well. However, Windows 10 is still in preview mode, and we haven't seen Project Spartan yet. So it remains to be seen if Microsoft will keep the encrypted-only HTTP/2 or adopt the plain-text one as well in the final versions of IE browsers. If Microsoft wants IE to be seen as secure as Chrome and Firefox, then hopefully the company will support only the encrypted version of HTTP/2.

Follow us @tomshardware, on Facebook and on Google+.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.