HTTP2 + Let's Encrypt

Thank you for everyone’s hard work. I installed my Let’s Encrypt certificate today, HTTPs is running smoothly:

wait a sec how can HTTPS be this much faster than HTTP? I mean it’s encrypted. theoretically it should be slower, because of the crypto, key handling and so on

The handshake only happens once. HTTP/2 has a number of performance improvements over HTTP/1.1 to the point that the encryption overhead is irrelevant. Daniel Stenberg, the author of curl, has an excellent introduction to HTTP/2: http2 explained - The HTTP/2 book

@AnthumChris you should maybe make a comparison between HTTP normal, HTTPS1 and HTTPS2, because your page suggests that HTTPS is faster in general, which probably isnt really the case, and most is probably dont by HTTP2, so the “HTTPS is faster” might be misleading.

@My1 no i think that he is correct.
He is correct you only have one SSL-Handshake.

1. HTTP2 requires SSL therefore once SSL-Handhshake
2. It use compression.
3. It use pipelining (not only serial like http/1.1 but with stream in parallel).
   So as long as you do not have an single request like with your ACME client he is correct for most of the practical use cases.

well handshake is only once true but all data is still encrypted on the server and has to be decrypted again on the client.

and @mholt said that in HTTP2 the overhead gets irrelevant because HTTP2 has been seriously optimized but the question is cant pretty much all optimizations that can be done in HTTPS1 also be done in HTTP1? that’s why I’d love an HTTP1 vs HTTPS1 vs HTTPS2 “battle”.

but WHY THE HELL does HTTP2 require HTTPS?

1. With hardware support you can get over 2GB/sec with AES-128-GCM (see
   https://calomel.org/aesni_ssl_performance.html)
2. There is an “debug” protocol named HTTP/2c with cleartext so no encryption.
   But with http/2 there was already the start of encrypt everything movement.
   And only since there are admins to stupid to setup their server correctly we switched back to http for the http challenge.

Because new protocols tend to be garbled by middle boxes and thus are more successful with encryption: Support h2c (HTTP/2 without TLS) · Issue #59 · bradfitz/http2 · GitHub

This is all explained in the document I linked to above; I suggest reading it.

yup HTTP2 based SSL is awesome. My Nginx auto installer’s stack also uses HTTP/2 by default for HTTPS and my Letsencrypt integration

• http://centminmod.com/http2-nginx.html
• http://centminmod.com/letsencrypt-freessl.html
• Nginx HTTP/2 vs SPDY vs HTTP/1.1 benchmarks I did last http://centminmod.com/http2-versus-spdy-nginx.html#http2version2 on my World Country Flags HTTP/2 Demo site
• HTTP/2 benchmarks against OpenLiteSpeed vs H20 servers via https://h2ohttp2.centminmod.com/flags.html. Result summary https://h2ohttp2.centminmod.com/webpagetests1.html

visual proof HTTP/2 rocks

@My1 You make a great point. As engineers, we understand the technical complexities of HTTP protocols and what’s under the hood. However, this site was intended for a non-technical audience and influence decision-makers to prioritize the encryption of their websites. It’s part of a campaign to increase privacy and performance.

SSL is not a requirement per the HTTP/2 spec. However, some browser manufacturers decided that their browsers won’t allow unencrypted HTTP/2 connections.

indeed on Nginx for me fastest to slowest is

1. Nginx HTTP/2 (HTTPS) + ngx_pagespeed
2. Nginx HTTP/2 (HTTPS) almost ties with Nginx HTTP/1.1 + ngx_pagespeed
3. Nginx HTTP/1.1 no ngx_pagespeed
4. Nginx HTTPS no HTTP/2

My Centmin Mod LEMP stack natively integrates ngx_pagespeed module too

okay probably I was a bit unclear about it, I got this one but why do browsers want SSL for HTTP2, I mean before LE came, certs were either expensive and/or annoying to get...

Irony: your site attempts to provide HTTP/2 to browsers, but doesn’t even support ALPN, and negotiating HTTP/2 with a deprecated NPN makes little sense to me.

I am on the Chrome development channel, and your site tells me I don’t support SPDY (should be replaced with HTTP/2, obviously). Because Chrome dev already has HTTP/2 over NPN disabled.

Recently Chromium devs have decided to re-enable it, so you’re lucky:

Your inconsistent HTTP/2 support is also immortalized here:

This wasn’t specifically directed at you since other people on the thread made similar statements about the encryption being a requirement for HTTP/2.

Some of the arguments were in line with that the streams within the HTTP/2 connections shouldn’t be tampered and make sure there wouldn’t be proxy involvement due to foreseeable problems with them.

another reason for SSL + HTTP/2 - Googlebot will soon talk HTTP/2 Why Everyone Should Be Moving To HTTP/2

HTTPS With HTTP/2
While HTTP/2 supports both secure and non-secure connections, both Mozilla Firefox and Google Chrome will only support HTTP/2 over HTTPS. Unfortunately, this means that many sites that want to take advantage of HTTP/2 will need to be served over HTTPS.

Fortunately, there are new initiatives such as Let’s Encrypt, which goes into public beta on December 3, 2015. Let’s Encrypt is a new certificate authority that is providing free security certificates for websites. It’s a great initiative towards a more secure web.

enjoy