The head of the working group designing the next version of HTTP said the HTTP/2 protocol will work only with encrypted URIs.
“I believe the best way that we can meet the goal of increasing use of TLS on the Web is to encourage its use by only using HTTP/2.0 with https:// URIs,” wrote Mark Nottingham on a W3C mailing list.
The move is a shot across the bow of increasing surveillance by the U.S. government against its own citizens and foreigners. A number of major Internet players such as Google and Facebook have turned HTTPS on by default on a number of crucial services such as Gmail. Should Nottingham’s proposal with HTTP/2 pass muster, it would be a massive step forward toward full TLS securing Web traffic.
“To be clear – we will still define how to use HTTP/2.0 with http:// URIs, because in some use cases, an implementer may make an informed choice to use the protocol without encryption,” Nottingham said. “However, for the common case — browsing the open Web — you’ll need to use https:// URIs and if you want to use the newest version of HTTP.”
There were three proposals before the working group, Nottingham said:
- Opportunistic encryption for http:// URIs without server authentication, also known as TLS Relaxed;
- Opportunistic encryption for http:// URIs with server authentication;
- HTTP/2 used only with HTTPS on the open Internet.
Nottingham said discussions landed on the third option because it introduces the fewest complexity and HSTS is an option for downgrade protection. Also, browser vendors have been vocal about the need to encrypt Web traffic, which would throw some significant weight behind the movement.
As the Snowden leaks continue to expose the breadth of NSA surveillance on Americans beyond the collection of phone call metadata to the tapping of fiber links between Internet data centers, calls for enhanced encryption get louder. Cryptographer and security expert Bruce Schneier wrote in an essay last month that the Internet facilitates surveillance as companies collect data from site visitors and companies, often in the clear.
He urged large Internet players to raise the costs of surveillance and force the NSA to put the brakes on large-scale collection in favor of targeted surveillance.
“Moore’s law has made computing cheaper. All of us have made computing ubiquitous. And because computing produces data, and that data equals surveillance, we have created a world of ubiquitous surveillance,” Schneier wrote. “Now we need to figure out what to do about it. This is more than reining in the NSA or fining a corporation for the occasional data abuse. We need to decide whether our data is a shared societal resource, a part of us that is inherently ours by right, or a private good to be bought and sold.”
In the meantime, Nottingham said that as HTTP/2 adoption moves forward, other options such as Perfect Forward Secrecy could be considered.
“I believe this approach is as close to consensus as we’re going to get on this contentious subject right now,” he said. “As HTTP/2 is deployed, we will evaluate adoption of the protocol and might revisit this decision if we identify ways to further improve security.”