Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
194 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

A Quic(k) Security Overview: A Literature Research on Implemented Security Recommendations (2306.17568v1)

Published 30 Jun 2023 in cs.CR

Abstract: Built on top of UDP, the relatively new QUIC protocol serves as the baseline for modern web protocol stacks. Equipped with a rich feature set, the protocol is defined by a 151 pages strong IETF standard complemented by several additional documents. Enabling fast updates and feature iteration, most QUIC implementations are implemented as user space libraries leading to a large and fragmented ecosystem. This work addresses the research question, "if a complex standard with a large number of different implementations leads to an insecure ecosystem?". The relevant RFC documents were studied and "Security Consideration" items describing conceptional problems were extracted. During the research, 13 popular production ready QUIC implementations were compared by evaluating 10 security considerations from RFC9000. While related studies mostly focused on the functional part of QUIC, this study confirms that available QUIC implementations are not yet mature enough from a security point of view.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (30)
  1. 1980. User Datagram Protocol. RFC 768. https://doi.org/10.17487/RFC0768
  2. Security Analysis of the Micro Transport Protocol with a Misbehaving Receiver. In 2012 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery. 143–150. https://doi.org/10.1109/CyberC.2012.31
  3. Richard J Aldrich and Athina Karatzogianni. 2020. Postdigital war beneath the sea? The Stack’s underwater cable insecurity. Digital War 1, 1 (2020), 29–35. https://doi.org/10.1057/s42984-020-00014-x
  4. Mike Bishop. 2022. HTTP/3. RFC 9114. https://doi.org/10.17487/RFC9114
  5. Detecting Fingerprinted Data in TLS Traffic. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (Singapore, Republic of Singapore) (ASIA CCS ’15). Association for Computing Machinery, New York, NY, USA, 633–638. https://doi.org/10.1145/2714576.2714595
  6. Scott O. Bradner. 1997. Key words for use in RFCs to Indicate Requirement Levels. RFC 2119. https://doi.org/10.17487/RFC2119
  7. Revisiting QUIC attacks: a comprehensive review on QUIC security and a hands-on study”, journal=”International Journal of Information Security. 22, 2 (01 4 2023), 347–365. https://doi.org/10.1007/s10207-022-00630-6
  8. Secure Communication Channel Establishment: TLS 1.3 (over TCP Fast Open) versus QUIC. Journal of Cryptology 34, 3 (24 May 2021), 26. https://doi.org/10.1007/s00145-021-09389-w
  9. Xavier de Carné de Carnavalet and Paul C. van Oorschot. 2023. A Survey and Analysis of TLS Interception Mechanisms and Motivations. ACM Comput. Surv. (1 2023). https://doi.org/10.1145/3580522
  10. Wesley Eddy. 2022. Transmission Control Protocol (TCP). RFC 9293. https://doi.org/10.17487/RFC9293
  11. The Addition of Explicit Congestion Notification (ECN) to IP. RFC 3168. https://doi.org/10.17487/RFC3168
  12. DNS over Dedicated QUIC Connections. RFC 9250. https://doi.org/10.17487/RFC9250
  13. Jana Iyengar and Ian Swett. 2021. QUIC Loss Detection and Congestion Control. RFC 9002. https://doi.org/10.17487/RFC9002
  14. Jana Iyengar and Martin Thomson. 2021. QUIC: A UDP-Based Multiplexed and Secure Transport. RFC 9000. https://doi.org/10.17487/RFC9000
  15. Mirja Kühlewind and Brian Trammell. 2022a. Applicability of the QUIC Transport Protocol. RFC 9308. https://doi.org/10.17487/RFC9308
  16. Mirja Kühlewind and Brian Trammell. 2022b. Manageability of the QUIC Transport Protocol. RFC 9312. https://doi.org/10.17487/RFC9312
  17. Same Standards, Different Decisions: A Study of QUIC and HTTP/3 Implementation Diversity. In Proceedings of the Workshop on the Evolution, Performance, and Interoperability of QUIC (Virtual Event, USA) (EPIQ ’20). Association for Computing Machinery, New York, NY, USA, 14–20. https://doi.org/10.1145/3405796.3405828
  18. Towards QUIC Debuggability. In Proceedings of the Workshop on the Evolution, Performance, and Interoperability of QUIC (Heraklion, Greece) (EPIQ’18). Association for Computing Machinery, New York, NY, USA, 1–7. https://doi.org/10.1145/3284850.3284851
  19. Main logging schema for qlog. Internet-Draft draft-ietf-quic-qlog-main-schema-05. Internet Engineering Task Force. https://datatracker.ietf.org/doc/draft-ietf-quic-qlog-main-schema/05/ Work in Progress.
  20. Observing the Evolution of QUIC Implementations. In Proceedings of the Workshop on the Evolution, Performance, and Interoperability of QUIC (Heraklion, Greece) (EPIQ’18). Association for Computing Machinery, New York, NY, USA, 8–14. https://doi.org/10.1145/3284850.3284852
  21. Eric Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446. https://doi.org/10.17487/RFC8446
  22. Eric Rescorla and Brian Korver. 2003. Guidelines for Writing RFC Text on Security Considerations. RFC 3552. https://doi.org/10.17487/RFC3552
  23. David Schinazi and Eric Rescorla. 2022. Compatible Version Negotiation for QUIC. Internet-Draft draft-ietf-quic-version-negotiation-14. Internet Engineering Task Force. https://datatracker.ietf.org/doc/draft-ietf-quic-version-negotiation/14/ Work in Progress.
  24. Misbehaving TCP Receivers Can Cause Internet-Wide Congestion Collapse. In Proceedings of the 12th ACM Conference on Computer and Communications Security (Alexandria, VA, USA) (CCS ’05). Association for Computing Machinery, New York, NY, USA, 383–392. https://doi.org/10.1145/1102120.1102170
  25. Statista. 2023. Number of internet users worldwide from 2005 to 2022. https://www.statista.com/statistics/273018/number-of-internet-users-worldwide/
  26. Improving TCP’s Robustness to Blind In-Window Attacks. RFC 5961. https://doi.org/10.17487/RFC5961
  27. Martin Thomson. 2021. Version-Independent Properties of QUIC. RFC 8999. https://doi.org/10.17487/RFC8999
  28. Martin Thomson and Cory Benfield. 2022. HTTP/2. RFC 9113. https://doi.org/10.17487/RFC9113
  29. Martin Thomson and Sean Turner. 2021. Using TLS to Secure QUIC. RFC 9001. https://doi.org/10.17487/RFC9001
  30. Implementation and Performance Evaluation of the QUIC Protocol in Linux Kernel. In Proceedings of the 21st ACM International Conference on Modeling, Analysis and Simulation of Wireless and Mobile Systems (Montreal, QC, Canada) (MSWIM ’18). Association for Computing Machinery, New York, NY, USA, 227–234. https://doi.org/10.1145/3242102.3242106
Citations (3)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now