Which I'd quite bad. I don't understand why/who lobbied to implement it that way in Firefox. Can someone disclose the decision-making behind this? It would help devs a lot if HTTP/2 works without TLS too.
All the main browsers want to encourage HTTPS everywhere. They're taking a number of initiatives to encourage it, some are carrots, some are sticks.
Mostly it's ending up as the stick, eg "You can only get these major performance advantages over HTTPS". Soon there is an intent to specifically call out non-HTTPS content very prominently in the browser, even more so that HTTPS content was ever called out back when that was introduced.
Yes, exactly. But why? What's the agenda? Why now? It's not like Amazon.com was broken between 1996 and 2016. There is a push to HTTPS at all costs, even if things (ad networks, devs, software) is not ready and is there even a need for 100% TLS? That an open source browser is engaged in such initiative is not good. With HTTP you can be anonymous, and most website visits aren't mission critical things. With HTTPS your traffic is quite unique and the players with big money have the resources anyway, there TLS is no big thing as we learned in the last few years. So which Think-tank or what ever is behind this initiative?
>there TLS is no big thing as we learned in the last few years
Citation? We've learned what has always thought to have been true: Encryption works very well and intel collectors need to resort to attacking other aspects. TLS has had its share of flaws but it's still very much a "big thing" to defeat.
The problem is, basically, middleboxes. It's unfortunately still common to intercept HTTP connections and redirect them to some sort of caching proxy, and some of these proxies will misbehave when seeing HTTP/2 on the wire, causing hard-to-diagnose connection issues. It's even worse when firewalls are involved, since they can get confused easily and will drop the connection (manifesting as a hang in the browser) in that case.
With TLS, not only is it less common for the connection to be intercepted, but also a MITM proxy which doesn't understand HTTP/2 won't negotiate it with either end, transparently falling back to HTTP/1.1. And firewalls will only see the outer TLS protocol.
In addition to browsers wanting to push https adoption, there was concern over how middleboxes would deal with it. Http2 is very different on the wire than http1 and middleboxes are known to be extraordinarily horrible at handling new protocols gracefully.
Just some random places to start to see why the major web browsers are not going to spend any time on non-encrypted protocols. A lot of devs need to help themselves and move to encrypted to connections before they are forced at browser-point.
