March 26, 2012
2 min read time

Why I don't like SPDY

Last week, on the user group meetup in Paris, there were quite a few discussions about SPDY. Currently Google is pushing for SPDY to turn into HTTP 2.0. I can't say I like it. There is one big problem with SPDY - SSL. SPDY mandates SSL and it causes problems.

EDIT: There are a lot of really, really good things in SPDY. It solves problems that seem to be more or less impossible to solve in HTTP 1.1. We've seen tons of problems with just about every implementation of HTTP pipelining, which was the last real effort to speed up HTTP.

I like a free and open web

SPDY changes that. In order to operate a SPDY website you need a SSL certificate. SSL certificates are issued by a limited number of organizations. 

Currently Iran is being blocked by SWIFT. So, money transfers in and out of the country are more or less impossible. So, if SPDY was to be HTTP 2.0 and SSL would be a hard requirement there would be no way for some Iranian guy to set up a website. Google probably doesn't care much about this, they don't have issues getting SSL certificates. Other organizations might and this concerns me. Should people with bad credit ratings be allowed to set up websites?

EDIT: There are free ways of getting a valid SSL certificate. However, this still doesn't change the principle of the web being less open. Getting clearance from any authority reduces the openness of the web, even if you don't have to pay someone.

The openness of the web is much of the reason for its success. We should fight hard to keep it open.

At some point in the future DNSSEC might change this, being a good transport for certificates. We'd get rid of those pesky CAs which would further increase security on the web. Great, but it is currently to far into the future for us to rely heavliy on it.

Compatibility

Since SPDY requires SSL how are we suppose to handle the switch? Must we still have some HTTP/1.1 deamon listening to port 80 issuing redirects to port 443? That would introduce a couple of round trips before we actually start pushing content. Even if SPDY gives a significant speedup a lot will be lost in that inital handshake.

What's wrong with optional SSL?

SSL is still needed on the web. But I haven't really seen any good arguments why SSL couldn't be optional. It seems to work quite well with HTTP.