WebPerf Google dropping SPDY in favor of HTTP 2

More HTTP/2 info HTTP/2: big security and ethical questions still to be answered | Tibus

---

 

Yeah wonder what are the top factors preventing ad networks and advertisers from going https / SSL compliant. You don't need to redirect all http traffic to https - just have the ads capable of being served from both http and https.

More HTTP/2 info HTTP/2: The future of the Web demystified | InfoWorld

 

More HTTP/2 info and best practices

• Preparing for HTTP2 | Blog | Web Design Essex
• HTTP/2 for a Faster Web | Cascading Media

 

Web Performance: The Status of HTTP/2 (H2) - Ma... | Akamai

 

Firefox 37 and Opportunistic Encryption = TLS over http non-encrypted connections via SPDY/3.1 or Alt-Svc: h2 headers ("alternative services") Bits Up!: Opportunistic Encryption For Firefox

From draft-ietf-httpbis-alt-svc-04 - HTTP Alternative Services

 

Using Firefox 38 developer edition to test out Opportunistic Encryption over clear text http on Centmin Mod's Nginx server on port 82 with Alt-Svc: h2=":8081" header set to pass unauthenticated encryption over TLS via my h2o HTTP/2 server setup on port 8081. Checking Firefox 38's developer tools network headers you can clearly see http connections being passed and served via h2 protocol = HTTP/2

One thing I am not clear on in the article at Bits Up!: Opportunistic Encryption For Firefox is whether this means a total end to mixed content warnings in browsers that support Opportunistic Encryption ?? Will it be okay to have http and https mixed if http uses Opportunistic Encryption to pass the data over encrypted SPDY/3.1 or HTTP/2 server with Alt-Svc:h2 or SPDY/3.1 headers ?

Edit: Patrick McManus from Firefox himself clarified OE and mixed content warnings. OE doesn't help with mixed content warnings.

over curl client the Alt-Svc:h2 header is seen but not used as curl doesn't support Opportunistic Encryption. Firefox 37+ will though. Hoping Chrome and other major browsers support it too

Code:

curl -I http://h2ohttp2.centminmod.com:82/flags.html
HTTP/1.1 200 OK
Date: Sun, 29 Mar 2015 00:52:36 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 63207
Last-Modified: Sat, 28 Mar 2015 04:51:44 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "55163360-f6e7"
Server: nginx centminmod
Expires: Sun, 29 Mar 2015 01:07:36 GMT
Cache-Control: max-age=900
Cache-Control: public, must-revalidate, proxy-revalidate
Alt-Svc: h2=":8081"
Accept-Ranges: bytes

edit: looks like mixed content warnings still exist right now with Firefox 38 developer edition and Nginx http 82 passing data to h2o HTTP/2 TLS server on port 8081 despite the single flag on port 82 show as secured over HTTP/2 = h2 protocol by Firefox

 

More info

• The state and rate of HTTP/2 adoption
• Firefox Opportunistic Encryption is now out with Firefox 37 via AltSvc H2 header Firefox 37 Coming Today With Heartbeat, HTTPS Bing - Phoronix

 

More on Firefox new version and Opportunistic Encryption New Firefox version says “might as well” to encrypting all Web traffic | Ars Technica

 

Looks like Firefox disabled Opportunistic Encryption in 37.01 Mozilla Firefox 37.0.1 Out Now, Disables HTTP/2 AltSvc and Fixes Bugs - Softpedia

flaw Certificate verification bypass through the HTTP/2 Alt-Svc header — Mozilla

 

hmm Nginx's own road map has HTTP/2 due in 13 months in 1.9 mainline Roadmap – nginx ? with Nginx 1.8.x due in 2 weeks time.

 

Ilya Grigorik's slide presentation on HTTP/2 at VelocityConf HTTP/2 is here, let's optimize! - Velocity SC 2015 - Google Slides

 

guess they're thoroughly testing HTTP/2 for nginx first

 

First screenshot of Nginx with HTTP/2 posted on twitter https://twitter.com/nginxorg/status/611571433353777152

 

First Nginx HTTP/2 Alpha patches out Nginx - First Alpha Patch for Nginx HTTP/2 support | Centmin Mod Community

 

Another nice HTTP/2 benchmark test Revisiting webapp performance on HTTP/2 - Advanced Web Machinery

 

Ah indeed if browser compatibility is an issue