> <i>Internet Explorer people have expressed that they intend to also support the new protocol without TLS, but when they shipped their first test version as part of the Windows 10 tech preview, that browser also only supported HTTP/2 over TLS. As of this writing, there has been no browser released to the public that speaks clear text HTTP/2. Most existing servers only speak HTTP/2 over TLS.</i><p>I'm hoping it will stay this way. Defaults are important, so it's the platforms' responsibility to support and enforce the "safer" options.<p>> <i>The fact that it didn’t get in the spec as mandatory was because quite simply there was never a consensus that it was a good idea for the protocol. A large enough part of the working group’s participants spoke up against the notion of mandatory TLS for HTTP/2. TLS was not mandatory before so the starting point was without mandatory TLS and we didn’t manage to get to another stand-point.</i><p>Which is interesting, because I remember quite clearly the "Snowden discussion" at the IETF, and there were consensus for an "encrypt everything Internet".<p>> <i>There is a claimed “need” to inspect or intercept HTTP traffic for various reasons. Prisons, schools, anti-virus, IPR-protection, local law requirements, whatever are mentioned.</i><p>Right. So IETF made it non-mandatory so law enforcement can get their "master keys" in a way. Also this "anti-virus" kind of protection, is basically what Superfish was. I'd rather that kind of behavior was stopped.<p>IETF would better start actually becoming useful and come up with ways to replace the CA system over the next few years, instead of taking protocols from others and ruining them as they standardize them. Otherwise we should rethink a new model for standardization if IETF is as useless/malicious as it is right now.