TLS/SSL on http (80) with STARTTLS

I'm researching the reason why TLS/SSL is not using over HTTP. Other protocols, such as SMTP, POP3, FTP, etc can be used on SSL ports (SMTPS, POP3S, FTPS) for the first way, and the second way is to use STARTTLS option in the current port with the extension (SMTP example) There is a popular way to use the second way (STARTTLS) on email protocols, but why is http not using STARTTLS? I found RFC TLS within HTTP/1.1, but it is not using nowadays (or maybe i havent seen yet)


Solution 1:

One purpose of the Upgrade mechanism in RFC 2817 was the provide a virtual hosting mechanism for HTTP with TLS as the situation was back in 2000:

The Upgrade mechanism also solves the "virtual hosting" problem. Rather than allocating multiple IP addresses to a single host, an HTTP/1.1 server will use the Host: header to disambiguate the intended web service. As HTTP/1.1 usage has grown more prevalent, more ISPs are offering name-based virtual hosting, thus delaying IP address space exhaustion.

The Server Name Indication (SNI; RFC 3546, 3.1) gave a better solution to this problem in 2003 – the one still in use – so there has not been need for this anymore. The Upgrade header is still alive but used for different purposes like switching from HTTP/1.1 to HTTP/2.0 (RFC 7230, 6.7).

The HTTP protocol also has the Location header (RFC 7231, 7.1.2) with the related response codes, making it easy to redirect the client to another scheme, host and port, unlike the protocols that were using STARTTLS.

Also notice that using STARTTLS was not something good and desirable and something that should be adopted by more protocols. In fact, RFC 8314 now obsoletes the cleartext protocols for email submission and access, leaving MTA-to-MTA SMTP the only email protocol where STARTTLS should be used. From section 3:

– – Although this mechanism has been deployed, an alternate mechanism where TLS is negotiated immediately at connection start on a separate port (referred to in this document as "Implicit TLS") has been deployed more successfully. To encourage more widespread use of TLS and to also encourage greater consistency regarding how TLS is used, this specification now recommends the use of Implicit TLS for POP, IMAP, SMTP Submission, and all other protocols used between an MUA and an MSP.

Solution 2:

One reason might be that an additional STARTTLS would add more overhead since an additional round trip (request + response) is needed. The time from connection start to response is fairly critical with HTTP though and lots of optimizations where done to reduce this time, like shorter TLS handshake or different protocols like QUIC. Adding something like STARTTLS would increase the time instead and thus is not a good idea.