[jimktrains2]

> Well, almost, let's address the "It's not fair" whingers. The HTTPS test is faster because it uses HTTP/2 whist the HTTP test only uses HTTP/1.1. The naysayers are upset because they think the test should be comparing both the secure and insecure scheme across the same version of the protocol. Now we could do that with the old protocol, but here's the problem with doing it across the newer protocol [is that HTTP/2 over TLS]

This doesn't invalidate the argument that you're comparing two things and claiming you're comparing two other things prima facia. For this use-case HTTP/2 will be faster, with or without TLS (if it could be tested). Claiming that it's the TLS that's speeding up the connection, which is what you mean when you say http vs https) is just plain wrong.

[richardwhiuk]

But the other point is that https now means HTTP/2 or HTTP/1.1, where as http always mean HTTP/1.1 - so I'm not sure that's true.

[tedunangst]

If https can mean one of two things, but http2 clearly means only one thing, why would anybody choose to use the term https unless they are trying to be deceptive?

[c22]

Or of they're trying to refer to the thing that http2 is not?

[falcolas]

https and HTTP/2 are not the same thing, though. Until HTTP/2 traffic is the vast majority when compared to HTTP/1.1 with TLS, you can't claim https and HTTP/2 are the same.

For example, if you terminate your secure traffic on an AWS ELB (or using S3, or CloudFront), you are serving HTTP/1.1 with TLS. And will be for the foreseeable future.

[jimktrains2]

Can you point me to the RFC where https was redefined to not be HTTP/1.1 over TLS?

[richardwhiuk]

https was never defined in an RFC in the first place, as I understand it, it's just defacto used for that since Netscape started.

[mikeash]

Pretty much the whole point of the article is that when you say "http vs https" you are no longer just saying TLS vs no TLS. It now means something more.

[jimktrains2]

But does it? I mean, you can start a WebSockets session with an HTTP request too. No one says a WS server is an HTTP server and that HTTP is a confusing thing now.

HTTP2 can be started via an HTTP over TLS request, that doesn't mean that it's HTTPS as defined in https://tools.ietf.org/html/rfc2818 and https://tools.ietf.org/html/rfc7230

[mikeash]

If you assume a reasonably recent browser and server, then it does. Certainly one might not grant that assumption, but I don't think it's outright wrong to make it, either. Depends on your approach.

[jimktrains2]

Why assume anything? Why not simply call things what they are? The issue is that browsers don't signal that you're using http2 and they decided nor to use a new schema either to help confuse us all. His point is literally based on nothing supporting http2 without TLS. What if something did? Would http also be a meaningless word? Why not call things what they are, not by what the browser is hiding.

[tedunangst]

To which people are saying, that's wrong. http2 implies https does not mean https implies http2.

[phyzome]

HTTP 2 is pretty cool, but this is just a bad title.

[geofft]

> Claiming that it's the TLS that's speeding up the connection, which is what you mean when you say http vs https

But that's the entire argument he's making. It's not what I mean. When I go to my web host's sysadmins and say "I need to use https so I can use service workers," I don't mean "I need to use TLS so I can use service workers." I mean what I said. https was once defined as merely http + TLS (well, SSL), but it has now come to be a protocol/scheme that supports things that http does not. One of those, and certainly the biggest, is TLS. But there are other differences.

This is a comparison between http and https. It investigates the reason why https is faster, and makes it clear that the difference is that https means other things besides TLS.

[tedunangst]

As clearly noted, IIS doesn't support http2. So if it's http2 you want, telling the IIS sysadmin "I need https" is not going to address your problem.

[benaadams]

IIS on Server 2016 supports http2

[tedunangst]

Well, let's imagine for the moment that your sysadmin has chosen to only deploy officially released and supported versions of software by default. Is "please enable https" the best way to communicate that they need to install a beta version of Windows?