HTTP/2: We Need It, But Is It Secure?

January 18, 2016 • Published by

Buzz is growing about a new HTTP coming to market. This new version of Hypertext Transfer Protocol, HTTP/2, is attracting much fanfare because it promises greater speed and efficiency.

The Internet isn’t “broken,” so why fix it?

What most people don’t know is that many parts of the Internet are held together by strings and duct tape. HTTP has been around since 1991, however the current working version (1.1) has been in place since 1999. We are using technology originally designed to transmit small graphics and text in 1999, to route and share applications, photos, and the IoT (Internet of Things) and the stress on the Internet is becoming apparent.

“When you first start out, you are just happy to get a job, any job. And as time goes on, either you move forward or screech to a halt” ~ George Clooney

So currently, the Internet is not built for mobile devices and the IoT. Mobile developers have had to determine ways to fit a square peg into a round hole, wasting precious server and network resources inventing ways to “push” data to clients.

Back during the advent of the Internet, all devices made a request for information (commonly called a GET request) or sent data to a server (POST command). This has made efficiency a problem, mainly because fixes have been applied to the protocols over time. Slapping some duct tape on a broken part only buys you a little more time, it doesn’t actually fix anything.

Who’s behind the upgrade?

Fortunately for us, there is a group responsible for designing and maintaining the Internet as we know it: The Internet Society. ISOC, as they are commonly referred to, has multiple subsidiary organizations performing many Internet related tasks, however their combined goal is to “make the Internet work better.” The Internet Engineering Task Force (IETF) is responsible for the bulk of the heavy lifting in this department and HTTP/2 is their proposed fix for the current issues at hand.

HTTP/2 (HTTP 2.0) is the next major version of the HTTP protocol. The IETF has published a working draft of HTTP/2 and so far it looks promising.

What is proposed?

To further understand what the fixes present within HTTP/2 are, we will need to understand what was not working in HTTP/1.1:

  • Speed
  • Efficiency
  • Security
  • Support for Mobile Infrastructure

Speed while using HTTP/1.1 is a known limiting factor. In an attempt to remedy some of the issues, features such as multiplexing, prioritized streaming and header compression have been introduced to HTTP/2. Many of these features, such as multiplexing and concurrency, have been used to increase bandwidth in other types of systems (such as telephone systems) for years and have finally found a home on the Internet.

TCP layer optimization and header compression are also present within the new HTTP protocol. Layer optimization involves limiting the number of TCP connections a client can have at one time. While an end user can currently open multiple connections at once, this new methodology permits each client one TCP connection but allows them to send more information concurrently over it.

HTTP/2 also enables servers to send information directly to devices without an initial request. This server push permits servers to send data before the clients ask for it, which creates a much quicker and responsive Internet. It also permits applications to utilize bandwidth in a more intelligent manner, sending data at the first open space within a channel, instead of having to wait for the client to request the data and then find a place in the channel for it.

But what about security?

HTTP, as it relates to security, has been a front burner issue for the last year. HTTP/1.1 permits the use of insecure protocols and encryption methods to allow for legacy connections. There is no standardized list of “industry standard encryption” present within this protocol; it’s a wild west. HTTP/2 attempts to solve that (for now).

The IETF work in progress draft has outlined two features that are critical to the success of Internet security:

  1. Insecure transport security protocols such as SSLv1, 2, 3 and TLS 1.0 are proposed to be officially “dead” within this new HTTP standard. TLS 1.2 and modular support for future protocols is inherent in secured HTTP/2 connections.
  2. A cipher suite blacklist has been introduced to specifically disallow/block the use of those known weak encryption ciphers. Effectively this also kills RC4, DES, SHA1 and MD5 (THANK YOU).

I and my colleagues will be watching the progression of HTTP/2 over the coming months. This is an exciting time for the Internet and the speed at which we do business.

Interested in learning more? Click here to request information or give us a call at 800-825-3301, ext. 2. We are happy to help.