Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why do web browsers not support h2c (HTTP/2 without TLS)?

Tags:

https

http2

I really search the web, and I can not find the reason why web browsers do not support h2c (http/2 with no TLS). Any idea, appreciated.

A little bit clarification http/2 with https uses ALPN (this is called h2). http/2 with http does not need ALPN(this is called h2c), but almost no web browser support it. Why is so?

I feel that for many resources, there is no need for confidentiality though authenticity is always good (the digital signature of the http body is not widely supported though there are some private implementations). Given confidentiality is not needed, then h2c is really a good thing to have.

like image 239
user1462586 Avatar asked Oct 17 '17 11:10

user1462586


People also ask

Can HTTP2 work without TLS?

Does HTTP/2 require encryption? No. After extensive discussion, the Working Group did not have consensus to require the use of encryption (e.g., TLS) for the new protocol.

Is HTTP2 supported by all browsers?

The HTTP/2 specification was published as RFC 7540 on May 14, 2015. The standardization effort was supported by Chrome, Opera, Firefox, Internet Explorer 11, Safari, Amazon Silk, and Edge browsers. Most major browsers had added HTTP/2 support by the end of 2015. About 97% of web browsers used have the capability.

What is H2C HTTP2?

HTTP2 Over Cleartext (H2C) However, H2C or “http2 over cleartext” is where a normal transient http connection is upgraded to a persistent connection that uses the http2 binary protocol to communicate continuously instead of for one request using the plaintext http protocol.


1 Answers

Technically

There are several technical reasons why HTTP/2 is much better and easier to handle over HTTPS:

  1. Doing HTTP/2 negotiation in TLS with ALPN is much easier and doesn't lose round-trips like Upgrade: in plain HTTP does. And it doesn't suffer from the upgrade problem on POST that you get with plain-text HTTP/2.
  2. N% of the web doesn't support unsolicited Upgrade: h2cheaders in requests and instead respond with 400 errors.
  3. Doing something else than HTTP/1.1 over TCP port 80 breaks in Y% of the cases since the world is full of middle-boxes that "help" out and replace/add things in-stream for such connections. If that then isn't HTTP/1.1, things break (this is also why brotli for example also requires HTTPS).

Ideologically

There's a push for more HTTPS on the web that is shared by and worked on in part by some of the larger web browser developer teams. That makes it considered a bonus if features are implemented HTTPS-only as they then work as yet another motivation for sites and services to move over to HTTPS. Thus, some teams never tried very hard (if at all) to make HTTP/2 work without TLS.

Practically

At least one browser vendor expressed its intention early on to implement and provide HTTP/2 for users done over plain-text HTTP (h2c). They ended up never doing this because of technical obstacles as mentioned above.

like image 127
Daniel Stenberg Avatar answered Oct 10 '22 00:10

Daniel Stenberg