When technology evolves, we tend to break the things that we used to work around the limitations in the previous technologies.
There's a whole suite of technologies in security that rely on the idea that we can look at packets as they travel to figure out if anything malicious is going on - Intrusion Detection Systems, Data Loss/Leak Prevention, Deep Packet Inspection Firewalls, Web Content Filters, etc. Each of those systems relies on the ability to see the unencrypted traffic - to "spy" on users, as someone else so snarkily put it.
As SSL has become more prevalent, we have turned to (as someone else pointed out) terminating the encrypted traffic once it's on a "trusted" network so we can do that - but, if HTTP/2 is ONLY over SSL, there will be no "termination" - it will be encrypted from one end to the other.
That means that all of the traditional security technologies will be completely blind to anything that happens in that communication stream.
I wasn't bemoaning progress - I think this is a good step. But it's also a step toward a temporary lack of security as the organizations catch up. It's because the security industry is a trailing industry (by definition) - you can't build a product that fixes security issues until you know: a) what the issues are, and b) how to fix them.
So, for a while, the early adopters of HTTP/2 are going to fly without a net somewhat.
(FYI - this same set of discussion points applies to IPv6 adoption)
When technology evolves, we tend to break the things that we used to work around the limitations in the previous technologies.
There's a whole suite of technologies in security that rely on the idea that we can look at packets as they travel to figure out if anything malicious is going on - Intrusion Detection Systems, Data Loss/Leak Prevention, Deep Packet Inspection Firewalls, Web Content Filters, etc. Each of those systems relies on the ability to see the unencrypted traffic - to "spy" on users, as someone else so snarkily put it.
As SSL has become more prevalent, we have turned to (as someone else pointed out) terminating the encrypted traffic once it's on a "trusted" network so we can do that - but, if HTTP/2 is ONLY over SSL, there will be no "termination" - it will be encrypted from one end to the other.
That means that all of the traditional security technologies will be completely blind to anything that happens in that communication stream.
I wasn't bemoaning progress - I think this is a good step. But it's also a step toward a temporary lack of security as the organizations catch up. It's because the security industry is a trailing industry (by definition) - you can't build a product that fixes security issues until you know: a) what the issues are, and b) how to fix them.
So, for a while, the early adopters of HTTP/2 are going to fly without a net somewhat.
(FYI - this same set of discussion points applies to IPv6 adoption)