The imminent death of HTTP/1.1 and its risks are not understood

3 months ago 4

Let's Encrypt has an outage today, and websites started disappearing off the web, progressively. It serves 60% of websites in the world. No wonder the world noticed.

And if you think we can still deploy HTTP websites, you are wrong, because browsers:

  • show any website served over HTTP as explicitly not secure in the address bar.
  • limit many web APIs to "secure" contexts
  • upgrade mixed-content so that HTTPS sites cannot request HTTP-only resources
  • increasingly attempt HTTPS to a site first even if linked/typed as HTTP
  • warn about downloads over HTTP...

and browsers will continue to phase-out the HTTP over time.

Moreover, according to Cloudflare Radar, HTTP/1.1 is used by less than 10% of time, and since HTTP/2 and HTTP/3 have TLS baked in the specifications, chances of quickly falling back to unencrypted HTTP connections are slim.

The last stab in the back of HTTP/1.1 are HTTP/1.1 Desync attacks joyfully popularized by James Kettle in DEFCON and Black Hat conferences.

HTTP/1.1 is dying and the decentralized nature of the web is dying with it.

Read Entire Article
  1. Homepage
  2. Technology
  3. The imminent death of HTTP/1.1 and its risks are not understood

Related

I captured my friend transiting the sun during a skydive

I captured my friend transiting the sun during a skydive

19 minutes ago 0
Google's AI is now able to compete in Math Olympiads and rank among top three

Google's AI is now able to compete in Math Olympiads and ran...

20 minutes ago 0
The Quiet Power of SQL

The Quiet Power of SQL

20 minutes ago 0
Hostinger Web Hosting