[Michael_Murray]

This made me sigh.

Don't get me wrong... As a lifelong time security guy, I'm happy to see more encryption. But implementing more security at one layer adversely impacts security at other layers. (e.g. IDS)

We're really bad (as a species) at unintended consequences....

[marshray]

IDS is itself an unintended consequence of a) app layer bugs enabling the intrusion, and b) opportunistic mass malware that doesn't even consider itself worthy of using TLS.

Personally, I'd rather make life harder for the pervasive eavesdroppers and the semi-skilled attackers.

[buster]

Isn't SSL often terminated at some network equipment in front of the real webserver? An IDS can still work behind that..

[majelix]

He's probably talking about client-side IDS, such as in a corporate environment.

It's worth noting that in such an environment, he likely controls the client machines themselves (ie, only corporate machines on the corporate network), so it's straightforward to just push out a trusted Certificate Authority and intercept anyways.

[digitalWestie]

As a security novice could you expand?

[majelix]

Snarky answer: He wants to be able to spy on his users in order to protect them from themselves.

[filipedeschamps]

Also want more information about what you said.

[Michael_Murray]

IDS was only one example.

When technology evolves, we tend to break the things that we used to work around the limitations in the previous technologies.

There's a whole suite of technologies in security that rely on the idea that we can look at packets as they travel to figure out if anything malicious is going on - Intrusion Detection Systems, Data Loss/Leak Prevention, Deep Packet Inspection Firewalls, Web Content Filters, etc. Each of those systems relies on the ability to see the unencrypted traffic - to "spy" on users, as someone else so snarkily put it.

As SSL has become more prevalent, we have turned to (as someone else pointed out) terminating the encrypted traffic once it's on a "trusted" network so we can do that - but, if HTTP/2 is ONLY over SSL, there will be no "termination" - it will be encrypted from one end to the other.

That means that all of the traditional security technologies will be completely blind to anything that happens in that communication stream.

I wasn't bemoaning progress - I think this is a good step. But it's also a step toward a temporary lack of security as the organizations catch up. It's because the security industry is a trailing industry (by definition) - you can't build a product that fixes security issues until you know: a) what the issues are, and b) how to fix them.

So, for a while, the early adopters of HTTP/2 are going to fly without a net somewhat.

(FYI - this same set of discussion points applies to IPv6 adoption)