It is not what the linked post announces. Quoting:
We currently are implementing SPDY/v2, due to the availability of browser support and the immediate gains we expect to reap. Although we have not run SPDY in production yet, our implementation is almost complete and we feel qualified to comment on SPDY from the implementor's perspective. We are planning to deploy SPDY widely at large scale and will share our deployment experiences as we gain them.
Forced SSL is not a problem for big sites like FB and medium size sites, but it is incredibly problematic for the small sites with less than a couple of thousand visitors per month, in effect it means that SPDY (and eventually HTTP 2.0 unfortunately) will remain a bonus for the elite web sites while the majority of the smaller web sites will remain on HTTP 1.1 "forever".
Yeah, I'm aware that some providers like StartSSL hands out free SSL certificates, but I don't think it's a good sign of things to come that you need to hand over sensitive personal information in order to use the latest generation of a fundemental web technology. You'll also need a dedicated IP, which costs money and is becoming increasingly scarce and expensive.
I actually run a small web host for my clients and all of them have denied my offer to install a free SSL from StartSSL in order to get SPDY because of the privacy concerns and the extra cost of the dedicated IP they're required to get.
It's a shame that a large majority of the web sites on the net will become stuck on an old technology just because of an arbitrary requirement for encryption even though they have nothing to secure anyway.
The problem is the conflation of security and identity. You need security to guarantee identity, but not the other way around. I see no reason that we can't have encrypted connections without identity.
Ssh has basically solved this. If you're like 99% of ssh users, you just accept the key the server gave you without verification. Your browser could do the same on the web -- just accept the server certificate and then indicate to you that the connection is secure but the servers identity is not verified.
This solves pretty much all the issues you bring up.
And if http 2 required it,then even better, because all the server would support it and all the clients would too.
That solution simply does not work. If your browser will accept the certificate that the server presents, anyone can pretend to be anyone and your browser will accept it. Enforcing identity is just as important as encrypting the connection.
You can do that identity enforcement through some scheme (accept-first-time, or web-of-trust, or something else) but they all have significant downsides. It's not an easy problem.
Most browsers let you accept a particular certificate for a particular site already, just like SSH, so you can already have this if you want. Part of the reason it works so well for SSH, though, is "security through unpopularity": you don't have large numbers of naïve users doing online banking at Starbucks over SSH. If SSH became more popular, you'd need to verify the fingerprint, and then you're back to square one ("If I have a secure channel with which to verify the identity of the SSH key, why not just use this same channel to establish the secure session?").
I hope that deployment of SPDY with smaller sites (and the problems that appear with that) might help kill the CA extortion scheme in favor of something decentralized (convergence.io is one experiment in that direction).
Every mass hoster (incl. those $9/mo PHP hosts) is affected eventually...
SNI or a dedicated IP is not required if you use a single certificate with multiple domain names.
Also you don't really hand over more sensitive personal details than you already provide to most web hosting companies. The only additional requirement was a copy of my personal id.
Finally, Chrome does support self-signed certificates authenticated using DNSSEC and there is work going on to make that a standard (DANE).
Preventing intermediate routers from screwing with the protocol is a higher priority. Microsoft already has an embrace-extend-extinguish proposal aimed at mobile networks, and that could easily make the protocol unusable. The websocket handshake required a ridiculous number of iterations to not trigger bugs in middleboxes. As a nice side effect, encryption everywhere removes some of the payoff for traffic interception by ISPs, like BT's attempted deployment of Phorm adware.
Yea, Microsoft Speed+Mobility don't have the SSL requirement, because it is based on WebSockets which already have done the work (masking etc.) to deal with bad middleboxes. And SPDY and WebSockets was developed at the same company (Google), yet it is MS that realized both can be combined together.
Serving multiple SSL websites on different domains on the same IP address requires the SNI extension and much fiddling around; it is ill-supported by old browsers. This is needed because with HTTPS, the header that tells the server which site to serve is still encrypted when the server needs to direct the request to the relevant application code. IPv6 will fix this by allowing you to easily give each application on your server its own IP as well as its own domain. This is simply because IPv6 creates a lot more addresses so we won't have to ration them like we do now.
There is no issue with IP addresses and SPDY perse. It's just that for SSL encryption (HTTPS) to work currently you would need your own IP address as older browsers (read IE < 8 on windows XP) don't support the SNI method of setting up HTTPS where you don't need your own IP address.
SPDY uses SSL and as it stands anything that doesn't support SNI will only accept one SSL certificate on one IP address. So if you run n certs on the same box you'd need n IP addresses.
It's great to see how such a fundamental change in how browsers and servers communicate can get rolled out so quickly! I would have guessed that this sort of thing would require many more years of effort than it did.
The author of the post, however, does seem to misunderstand SPDY's server push feature. He states that Facebook requires a substitute for long-polling for low-latency message delivery, and seems to think SPDY provides this. Unless I'm mistaken and there's some Javascript API available, server push is merely for cache-priming and reducing latency of requested objects alongside a regular pageload (eg, push the CSS and images along with an html page).
I think this is a beautiful example of competition at work. Google Chrome enabled them to forge ahead of the other browsers to scratch their own itch. Facebook evaluated their work and it checked out, so it will become the defecto standard as others join in using it. Thus, standardiztions committees avoid clean room engineering and instead formalize proven implementations for broader distribution.
As a side note, "defecto standard" is a great turn of phrase which seems to never have been used intentionally. Googling it results in pages and pages of very serious documents which intended to use "de facto standard".
I believe that comment by Doug is not referring to "SPDY server push" specifically, but is instead making a broader argument for a need to standardize a push mechanism for HTTP 2.0.
In theory, SSE/WebSockets should be able to fill in that gap (based on his described use case).
On a side note: if you use Google AppEngine, you already have SPDY support (as long as you visit your app via SSL, which usually requires the .appspot.com domain). Of course, if some services you use aren't served via SSL (I'm looking at you, Disqus!), then you get the big ugly 'mixed content' warning.
Moral of the story: if you run a web service with an API or embedded javascript module, make sure the entire stack can be run over SSL!
> "SPDY's header compression is a good, general-purpose solution, and gzip is a good starting point, but we would prefer to see a more lightweight compression algorithm for the HTTP/2.0 standard."
"For instance, compared to the fastest mode of zlib, Snappy
is an order of magnitude faster for most inputs, but the
resulting compressed files are anywhere from 20% to 100%
bigger."
Although
we have not run SPDY in production yet, our implementation is almost
complete and we feel qualified to comment on SPDY from the
implementor's perspective.
We currently are implementing SPDY/v2, due to the availability of browser support and the immediate gains we expect to reap. Although we have not run SPDY in production yet, our implementation is almost complete and we feel qualified to comment on SPDY from the implementor's perspective. We are planning to deploy SPDY widely at large scale and will share our deployment experiences as we gain them.