Yet another upgrade blah blah, will we care? and anyway, in which century will it appear? Well, first off, it's here! and secondly, as a purveyor of websites, probably not, but if you have an interest in online publishing or advertising, then yes, and probably far more than you think!

What is it?

Fundamentally, it's advertised as a whole bunch of tweaks rolled up into a 'new protocol' which makes the Internet faster and more secure. In reality, it seems to be a make everything HTTPS in sheep's clothing.

Although at first sight it's a way to make communications secure without having to pay for SSL certificates and potentially take the performance hit of having to process SSL, actual implementations on the ground all involve SSL and real certificates.

How do I know when HTTP2 is active?

Easy answer is to head over to Chrome's extensions page (you are using Chrome, right?) and install HTTP2 / SPDY indicator. When you hit a site that's using SPDY, you'll see a green lightening bolt in the top right of the address bar, if that bolt is blue, then you're looking at a a HTTP2 site. If you want to check, then this site is http2, as is Google's search page.

So how do I 'not' have to buy a certificate?

Well, what you need is a free SSL certificate provider, I'm using a company called SmartSSL who will issue proper certificates on an annual basis for no charge. This is the difference between seeing https in red with a line through it in your address bar, and a click-through warning for each user on their first visit to your site, and a nice clean green https with a nice padlock symbol - and no warnings.

How hard is it to convert to HTTP2?

Depends, here's a worked example for Ubuntu/Debian NGINX users. First you need to install the latest version of NGINX which contains HTTP2 support. The easy way is via a PPA like so;

# add-apt-repository ppa:chris-lea/nginx-devel
# apt-get update
# apt-get upgrade
# nginx -V
nginx version: nginx/1.9.5

Next you need to tweak your NGINX configuration, typically this will be in /etc/nginx/sites-enabled/default, and if it isn't, it implicitly means you know where it will be. In your server section, look for the bit that says listen 80; and then add the following;

 ssl_certificate /etc/nginx/ssl/unified.crt;
 ssl_certificate_key /etc/nginx/ssl/ssl.key;
 ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 listen 443 ssl http2;

Do not be tempted to add the line ssl on; , it's not needed and indeed if you have a listen 80 in the same section, ssl on will break it!

You can generate the ssl.key and unified.crt files based on instructions provided by SSLStart (at no charge), then you need;

system nginx configtest
system nginx restart # assuming the previous command was error free

And you're off! Now access your site via https rather than http and you should see a nice green padlock against the https:// and a nice blue lightning bolt in the top right of your address bar.

But Why?!

Ok, so I sort of side-stepped the point.

  1. Google 'weight' search results based on site security, so you will get better positioning in search results from being seen via https://
  2. Google 'weight' search results based on site speed, so once you have the security in place, the other tweaks rolled into http2 will give you better performance than pure SSL sites (and hence better positioning)
  3. When secure sites want to include references to your site, or indeed include resources from your site, those sites will appear to be more secure as they no longer reference insecure locations, so they are more likely to link to you, hence their outbound links will give you better search result positioning.
  4. You no longer have to worry about people sniffing your passwords when you (or anyone else) logs into your site.

All in all, http will be / is becoming looked down upon in terms of validity and integrity with regards to the rest of the Internet. As you may (or may not) have noticed, Google is now 100% https (well, actually from what I see, they're 100% http2) and that includes their advertising infrastructure. You will also notice both Twitter and Facebook now default to using SSL, Twitter using full http2 and Facebook using SSL with SPDY extensions, (which you could call http1.5) but you can see where this is going - http is destined to become a second-class citizen, if it's not already.

So it's not a case of keeping up with the Joneses, http2 is something worth looking at sooner rather than later, especially if you care about where you appear in Google search results!