Consider implementing h2c (http/2 over TCP)
Categories
(Core :: Networking: HTTP, enhancement)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox59 | --- | affected |
People
(Reporter: mark, Unassigned)
Details
|
||
Comment 2•7 years ago
|
||
|
||
Updated•7 years ago
|
|
Reporter | |
Comment 3•7 years ago
|
||
|
||
Comment 4•7 years ago
|
||
|
|
Reporter | |
Comment 5•7 years ago
|
||
(In reply to Mark Straver from comment #5)
RFCs hardly "require" anything, and even if they do, it's regularly ignored
because "it's just an RFC".I'm simply a little peeved that once again things are only done half because
of arbitrary decisions based on preference, enforcing a certain precondition
on users, instead of going the full mile and doing things PROPERLY. As
stated in my original comment, h2c will benefit unencrypted connections just
as much as encrypted ones; shouldn't Firefox strive to be better/faster?Can you give me a good technical (not organizational or arbitrary) reason
why this should not be implemented? Because I'm all for agreeing with you if
there is a real, objective reason.
Several reasons about supporting HTTP/2 only for secure connections have been extensively explained (see also HTTP/2 in wikipedia and other documents written by IETF group about httpbis).
Main reasons are:
-
between a client browser and a server HTTP/2 there can be malicious entities trying to sniff HTTP traffic through not encrypted connections; it's the MITM (man in the middle) problem; several problems can arise from this, from data injection in HTTP requests / responses to monitoring / spying data being exchanged, etc.; when a new binary protocol (just like HTTP/2) is involved this becomes unacceptable for nowadays security standards; you cannot risk to have a bit or a byte changed and so to ruin all the subsequent data flowing through connection (misinterpreted, etc.);
-
between a client browser and a server HTTP/2 there may be several transparent proxies which support only HTTP/1.0 or at most HTTP/1.1, usually badly because most of them have problems with pipelined requests and other implementation details;
these proxies usually try to inspect and to optimize HTTP traffic; all these would not be compliant with HTTP/2 clear traffic (h2c) and so in many cases a lot of connections would not work; instead they have always been transparent with encrypted connections (i.e. web sockets, SSL, etc.); when a transparent proxy recognizes an encrypted connection it will simply forward data received without inspecting it and in this case HTTP/2 always works without further problems; -
it's good to use only one port (443) for HTTP/2 connections so there are less problems about what kind of connection to use, unsecure or secure, if both were implemented; adding h2c support on port 80 would slow down new connections for both HTTP/1.x and HTTP/2.
Having said that, secure connections require certificates that may expire yearly and this can be a serious problem for embedded devices (routers, etc.) that work inside a LAN or a WAN; in this case, assuming there are low security threats to these devices and no performance problems with admin web interface, old protocol HTTP/1.1 can be used.
It looks like that h2c was allowed mainly for testing purposes, anyway decisions about this topic have already been made by browser and server developers / product managers many years ago so the case is closed.
(In reply to Fuwei Chin from comment #6)
I was going to vote this up because I need to debug my webapp by capturing HTTP traffic, while Firefox implements only h2 mode of HTTP/2 spec (HTTP/1.1 can be used with or without TLS).
But now that Firefox 81+ supports Wireshark ssl traffic decryption, see How to Decrypt SSL using Chrome or Firefox and Wireshark in Windows, h2c is not so necessary to me.
This is not SPAM, good advice.
|
||
Comment 9•3 years ago
|
||
Implementing HTTP/2 would be useful for already encrypted networks: I2P, TOR hidden services, Yggdrassil.
Description
•