While the HTTP/2 standard itself does not technically mandate the use of SSL/TLS encryption, in practice, almost all browsers require SSL/TLS to connect to an HTTP/2 server, making it effectively mandatory.
Understanding the HTTP/2 Specification vs. Browser Reality
The formal specification for HTTP/2 (RFC 7540) defines two main ways to negotiate an HTTP/2 connection:
h2c: HTTP/2 over a cleartext TCP connection (without TLS).h2: HTTP/2 over TLS (encrypted connection).
The standard allows for unencrypted HTTP/2 (h2c). However, this is where the practical reality diverges significantly from the specification.
As highlighted by F5 Networks, "While HTTP/2 did not explicitly change the security requirements for HTTP, almost all browsers that use HTTP/2 require SSL/TLS to be enabled at the website, which makes it mandatory for all intents and purposes."
This means that even though the standard permits h2c, mainstream web browsers will typically only initiate HTTP/2 connections using the h2 method, which requires TLS encryption.
Why Browsers Mandate SSL/TLS for HTTP/2
Browsers enforce the use of TLS with HTTP/2 primarily for security and interoperability reasons:
- Enhanced Security: TLS provides encryption, data integrity, and authentication, protecting users from eavesdropping, tampering, and man-in-the-middle attacks.
- Interoperability and Deployment: Relying on TLS for the transition allows clients and servers to negotiate HTTP/2 using existing TLS mechanisms (like ALPN - Application-Layer Protocol Negotiation), simplifying deployment compared to cleartext upgrade mechanisms.
- Privacy: Encrypting traffic is increasingly seen as a fundamental requirement for user privacy on the web.
Practical Implications for Website Owners
For anyone operating a website or web service today, enabling HTTP/2 effectively means you must deploy SSL/TLS.
Here's what that entails:
- Obtain an SSL/TLS Certificate: Acquire a valid certificate from a Certificate Authority (CA) or use a free option like Let's Encrypt.
- Install and Configure: Install the certificate on your web server (e.g., Apache, Nginx, LiteSpeed) or CDN.
- Enable HTTP/2 and TLS: Configure your server or CDN to support HTTP/2 over TLS (
h2). - Redirect HTTP to HTTPS: Ensure all traffic is redirected from
http://tohttps://to enforce the secure connection.
Failing to implement SSL/TLS will result in browsers falling back to HTTP/1.1, even if your server is configured to support HTTP/2.
Summary of HTTP/2 and SSL/TLS Relationship
| Aspect | Standard Requirement | Practical Reality (Browsers) | Outcome for Websites |
|---|---|---|---|
| Encryption | Optional (h2c) |
Required (h2) |
Effectively Mandatory |
| Negotiation | Upgrade header or ALPN | Primarily ALPN over TLS | Requires TLS Setup |
| Use Case | Possible for trusted internal networks | Standard for public internet | Needs SSL/TLS Cert |
In essence, while the spec says no, the internet says yes. To utilize the performance benefits of HTTP/2 for public-facing websites, SSL/TLS is a non-negotiable requirement due to browser implementations.
