| Apart from the issue with MITM attacks, they will be forever stuck on HTTP version 1 due to the fact that hardly any web-server or browser vendor plans on implementing HTTP2 without HTTPS. plain HTTP is in the spec, but it seems to be that most vendors are deliberately leaving it out (something I agree with). From the IETF HTTP WG FAQ: >"Does HTTP/2 require encryption?
No. After extensive discussion, the Working Group did not have consensus to require the use of encryption (e.g., TLS) for the new protocol. However, some implementations have stated that they will only support HTTP/2 when it is used over an encrypted connection, and currently no browser supports HTTP/2 unencrypted."[1] From Wikipedia: > "Although the standard itself does not require usage of encryption, most client implementations (Firefox, Chrome, Safari, Opera, IE, Edge) have stated that they will only support HTTP/2 over TLS, which makes encryption de facto mandatory."[2] From NGINX: > "Using HTTP/2 is likely to improve website performance if you’re using SSL/TLS (referred to as TLS from here on). But if you have not, you’ll need to add TLS support before you can use HTTP/2"[3] From Daniel Stenberg: >"Reasons for choosing TLS-only include respect for user's privacy and early measurements showing that new protocols have a higher success rate when done with TLS. This because of the widespread assumption that anything that goes over port 80 is HTTP 1.1 makes some middle-boxes interfere and destroy traffic when instead other protocols are communicated there."[4] [1]: http://http2.github.io/faq/#does-http2-require-encryption [2]: https://en.wikipedia.org/wiki/HTTP/2#Encryption [3]: https://www.nginx.com/blog/7-tips-for-faster-http2-performan... [4]: https://daniel.haxx.se/http2/http2-v1.10.pdf |