The certificate issue is a browser problem. Self-issued certificates are trivial to produce, and in the era of mandatory TLS they probably should not produce the huge scary browser warnings we see today. I'm not a UI expert, but I could envision a "medium severity" browser warning that states the connection is encrypted but the certificate can't be verified. I don't see the logic behind abandoning encryption entirely rather than tolerate some level of self-signed certificates.
> Limited choices.
Arguably the whole CA system is in need of serious reform. This is orthogonal to HTTP/2 and TLS.
> Encrypted browsing is simply unnecessary for certain classes of sites (non-logon, informational sites).
I could not disagree more. Encryption is--from an efficiency standpoint--literally just some bit-twiddling (after key exchange). The efficiency cost is trivial, the social benefits are enormous. It's very much worth it.
> It increases the barrier for entry to put a basic website up.
This is one advantage of baking it into the protocol. If the HTTP/2 implementation takes care of the details of encryption (including certificate generation if necessary), website authors don't need to be concerned with it. Everything will just work.
> Internal network communication becomes a lot harder with self-signed certificates.
As stated above, certificates are not barriers. If your network is "trusted", then why would you care if the certificates are self-signed? You are arguing instead to not use encryption at all! Do you see how backward this is?
>why would you care if the certificates are self-signed? You are arguing instead to not use encryption at all! Do you see how backward this is?
(I've chopped your quote a bit so that it applies to the internet in general rather than just a trusted network, which is what I think you're arguing for. Correct me if I'm wrong).
I do see how backward it is, but I don't think we have good enough solutions in place to protect against impersonated TLS. Users currently expect "safe and secure" from HTTPS, which is why there was a push to throw big scary warnings for non-authenticated TLS. Perhaps this is a UI problem, but until users are safely able to identify the difference between trusted connection and secure connection, I don't think we're ready for TLS everywhere without authentication.
If it is a problem that can be solved, it can be solved now.
I'm more concerned that my dad will have his banking session impersonated rather than his general browsing sessions snooped on after the fact. I would prefer that neither was possible, but I'm not aware of any good solution.
Actually, I think I've changed my mind after writing this. There can be two and only two states. HTTPS with authentication, and HTTPS without authentication. Authenticated can have the little lock symbol, non-authenticated would just look like regular HTTP does now. Then we just need to make the process of self-signed certificates easier to create and manage.
Your local network may be trusted, but self-issued certificates are effectively worthless to regular internet users, because they make MITM attacks trivial. This is the reason they have huge scary warnings.
Encryption without authentication and trust defeats passive snooping but does absolutely nothing to protect against MITM, which is a real and prevalent threat.
Setting HTTP/2 to encrypt everything but removing the big warnings that appear when trusted authenticity cannot be established would be a net security downgrade, because the lay user will trust their connection when they ought not.
> Encryption without authentication and trust defeats passive snooping but does absolutely nothing to protect against MITM, which is a real and prevalent threat.
Sure. But non-encryption leaves you vulnerable to both passive snooping and MITM.
> Setting HTTP/2 to encrypt everything but removing the big warnings that appear when trusted authenticity cannot be established would be a net security downgrade, because the lay user will trust their connection when they ought not.
How about only showing the padlock for certificated sites, and requiring a certificate when a secure request is made (http2s:// ?), but allowing encryption with a self-signed certificate for "insecure" URLs (http2://) and just not showing the padlock?
Exactly. An analogy is with password salting: you don't salt passwords because it makes the hashes unbreakable, you do it to increase the amount of work attackers have to do to successfully recover the passwords.
Even without verified certificates, mandatory TLS would require a MITM attacker to be present at the time of the connection (not passively record traffic and attack later) for every connection they wanted to snoop on. For a stateless protocol like HTTP, that's a massive amount of work to do if you want to snoop on any large scale. The increase in work required is probably even greater (relatively) than the increase achieved in the example of password salting (which is considered a security no-brainer)!
The certificate issue is a browser problem. Self-issued certificates are trivial to produce, and in the era of mandatory TLS they probably should not produce the huge scary browser warnings we see today. I'm not a UI expert, but I could envision a "medium severity" browser warning that states the connection is encrypted but the certificate can't be verified. I don't see the logic behind abandoning encryption entirely rather than tolerate some level of self-signed certificates.
> Limited choices.
Arguably the whole CA system is in need of serious reform. This is orthogonal to HTTP/2 and TLS.
> Encrypted browsing is simply unnecessary for certain classes of sites (non-logon, informational sites).
I could not disagree more. Encryption is--from an efficiency standpoint--literally just some bit-twiddling (after key exchange). The efficiency cost is trivial, the social benefits are enormous. It's very much worth it.
> It increases the barrier for entry to put a basic website up.
This is one advantage of baking it into the protocol. If the HTTP/2 implementation takes care of the details of encryption (including certificate generation if necessary), website authors don't need to be concerned with it. Everything will just work.
> Internal network communication becomes a lot harder with self-signed certificates.
As stated above, certificates are not barriers. If your network is "trusted", then why would you care if the certificates are self-signed? You are arguing instead to not use encryption at all! Do you see how backward this is?