Why do web browsers not support h2c (HTTP/2 without TLS)?

by

Technically

There are several technical reasons why HTTP/2 is much better and easier to handle over HTTPS:

  1. Doing HTTP/2 negotiation in TLS with ALPN is much easier and doesn’t lose round-trips like Upgrade: in plain HTTP does. And it doesn’t suffer from the upgrade problem on POST that you get with plain-text HTTP/2.
  2. N% of the web doesn’t support unsolicited Upgrade: h2cheaders in requests and instead respond with 400 errors.
  3. Doing something else than HTTP/1.1 over TCP port 80 breaks in Y% of the cases since the world is full of middle-boxes that “help” out and replace/add things in-stream for such connections. If that then isn’t HTTP/1.1, things break (this is also why brotli for example also requires HTTPS).

Ideologically

There’s a push for more HTTPS on the web that is shared by and worked on in part by some of the larger web browser developer teams. That makes it considered a bonus if features are implemented HTTPS-only as they then work as yet another motivation for sites and services to move over to HTTPS. Thus, some teams never tried very hard (if at all) to make HTTP/2 work without TLS.

Practically

At least one browser vendor expressed its intention early on to implement and provide HTTP/2 for users done over plain-text HTTP (h2c). They ended up never doing this because of technical obstacles as mentioned above.

More Related Contents:

  1. PhantomJS failing to open HTTPS site
  2. Is it possible to have SSL certificate for IP address, not domain name? [closed]
  3. HTTP Basic Authentication credentials passed in URL and encryption
  4. Is GET data also encrypted in HTTPS?
  5. How to run Vue.js dev serve with https?
  6. What happens on the wire when a TLS / LDAP or TLS / HTTP connection is set up?
  7. What’s the de facto standard for a Reverse Proxy to tell the backend SSL is used?
  8. Replay attacks for HTTPS requests
  9. Gradle Could not HEAD https://..pom > peer not authenticated
  10. How do I disable HTTPS in ASP.NET Core 2.1 + Kestrel?
  11. Android 8: Cleartext HTTP traffic not permitted
  12. why doesn’t java send the client certificate during SSL handshake?
  13. Session lost when switching from HTTP to HTTPS in PHP
  14. Python requests.exceptions.SSLError: EOF occurred in violation of protocol
  15. Mono https webrequest fails with “The authentication or decryption has failed”
  16. HTTPS setup in Amazon EC2
  17. Cannot push Git to remote repository with http/https
  18. How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections
  19. Android volley self signed HTTPS trust anchor for certification path not found
  20. Python getting common name from URL using ssl.getpeercert()
  21. How to fix “insecure content was loaded over HTTPS, but requested an insecure resource”
  22. Why doesn’t Chrome browser recognize my http2 server?
  23. Page loaded over HTTPS but requested an insecure XMLHttpRequest endpoint
  24. WS on HTTP vs WSS on HTTPS
  25. Load Blade assets with https in Laravel
  26. How can I use HTTPS in AngularJS?
  27. shouldOverrideUrlLoading in WebView for Android not running
  28. What is the proper HTTP response to send for requests that require SSL/TLS
  29. Getting the location from a WebClient on a HTTP 302 Redirect?
  30. Android SSL HttpGet (No peer certificate) error OR (Connection closed by peer) error

Leave a Comment