While I can’t imagine them not doing that other than for technical reasons. One reason is that they are already experimenting with it: https://blog.cloudflare.com/test-all-the-things-ipv6-http2-sha-2/

But in practice it really doesn’t matter much.

Look at this blog, it’s already using SPDY. The protocol is very similar and the browser support is similar too. Pretty sure Cloudflare will implement HTTP/2 before browsers start dropping support for SPDY.

You and me both. I use Cloudflare here and can’t wait for them to add HTTP/2 support.

I almost feel guilty that I don’t yet have any suggestions on what is the best HTTP/2 server or proxy for different situations 😉

But the list is here:
https://github.com/http2/http2-spec/wiki/Implementations
http://www.haproxy.org/ is also useful it can determine the type of protocol and route to the right server.

No problem. Technology isn’t always easy and encryption is one of those technologies.

I forgot to mention https://letsencrypt.org/ is going to start their beta program soon. It’s really exciting. 🙂

They will allow you to have not only free certificates, but in an automated way.

This should really help with the burden of deploying HTTPS, because for example you don’t need to talk to different people in your organization to get your certificates, don’t need to worry about the certificates expiring (it automatically renews) and their tooling configures your server with the right settings.

Lennie,

I had a hunch you’ll share your suggestions here – thanks as always for the important feedback.

Here are some tips for making it easier for people to deploy HTTPS (which you need for HTTP/2) without having to know all the details.

Tip 1: Install a recent Linux distribution on your server (these have the openssl version you’ll need with all the fixes and features). Or use containers (Docker or LXC) to add a mini Linux server with a recent distribution to your server (you might want to use it as a proxy in front of your real webserver).

Information on how to configure your server:
https://wiki.mozilla.org/Security/Server_Side_TLS
https://istlsfastyet.com/

Where to get some free certificates:
http://www.startssl.com/ (for personal websites/non-commercial ?)
https://www.globalsign.com/en/ssl/ssl-open-source/ (for open source projects)
https://www.ohling.org/blog/2015/02/wosign-free-2y-ssl-certificate.html (free certificates from China)

How to check if your HTTPS configuration is correct:
https://www.ssllabs.com/ssltest/

And you should occasionally re-check with the ssltest site so you know you are still doing it correctly, because what might have been considered secure today, might not be tomorrow.