Papers
Topics
Authors
Recent
Search
2000 character limit reached

How Resilient is QUIC to Security and Privacy Attacks?

Published 12 Jan 2024 in cs.CR and cs.NI | (2401.06657v3)

Abstract: QUIC has rapidly evolved into a cornerstone transport protocol for secure, low-latency communications, yet its deployment continues to expose critical security and privacy vulnerabilities, particularly during connection establishment phases and via traffic analysis. This paper systematically revisits a comprehensive set of attacks on QUIC and emerging privacy threats. Building upon these observations, we critically analyze recent IETF mitigation efforts, including TLS Encrypted Client Hello (ECH), Oblivious HTTP (OHTTP) and MASQUE. We analyze how these mechanisms enhance privacy while introducing new operational risks, particularly under adversarial load. Additionally, we discuss emerging challenges posed by post-quantum cryptographic (PQC) handshakes, including handshake expansion and metadata leakage risks. Our analysis highlights ongoing gaps between theoretical defenses and practical deployments, and proposes new research directions focused on adaptive privacy mechanisms. Building on these insights, we propose future directions to ensure long-term security of QUIC and aim to guide its evolution as a robust, privacy-preserving, and resilient transport foundation for the next-generation Internet.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (15)
  1. F. H. Fitzek, S.-C. Li, S. Speidel, T. Strufe, M. Simsek, and M. Reisslein, “Tactile Internet with Human-in-the-Loop,” in Tactile Internet.   Academic Press, 2021, pp. 1–474. [Online]. Available: https://www.sciencedirect.com/book/9780128213438/tactile-internet
  2. Z. Hou, C. She, Y. Li, D. Niyato, M. Dohler, and B. Vucetic, “Intelligent Communications for Tactile Internet in 6G: Requirements, Technologies, and Challenges,” IEEE Communications Magazine, vol. 59, no. 12, pp. 82–88, 2021. [Online]. Available: https://doi.org/10.1109/MCOM.006.2100227
  3. F. Chiariotti, A. A. Deshpande, M. Giordani, K. Antonakoglou, T. Mahmoodi, and A. Zanella, “QUIC-EST: A QUIC-Enabled Scheduling and Transmission Scheme to Maximize VoI with Correlated Data Flows,” IEEE Communications Magazine, vol. 59, no. 4, pp. 30–36, 2021. [Online]. Available: https://doi.org/10.1109/MCOM.001.2000876
  4. X. Cao, S. Zhao, and Y. Zhang, “0-RTT Attack and Defense of QUIC Protocol,” in 2019 IEEE Globecom Workshops, 2019, pp. 1–6. [Online]. Available: https://doi.org/10.1109/GCWkshps45667.2019.9024637
  5. R. Lychev, S. Jero, A. Boldyreva, and C. Nita-Rotaru, “How Secure and Quick is QUIC? Provable Security and Performance Analyses,” in 2015 IEEE Symposium on Security and Privacy, 2015, pp. 214–231. [Online]. Available: https://doi.org/10.1109/SP.2015.21
  6. M. Fischlin and F. Günther, “Replay attacks on zero round-trip time: The case of the tls 1.3 handshake candidates,” in 2017 IEEE European Symposium on Security and Privacy (EuroS&P), 2017, pp. 60–75. [Online]. Available: https://doi.org/10.1109/EuroSP.2017.18
  7. K. Y. Gbur and T. Florian, “QUICforge: Client-side Request Forgery in QUIC,” in 30th Annual Network and Distributed System Security Symposium, NDSS, 2023. [Online]. Available: https://www.ndss-symposium.org/ndss-paper/quicforge-client-side-request-forgery-in-quic/
  8. M. Nawrocki, R. Hiesgen, T. C. Schmidt, and M. Wählisch, “QUICsand: Quantifying QUIC Reconnaissance Scans and DoS Flooding Events,” in Proceedings of the 21st ACM Internet Measurement Conference, 2021, p. 283–291. [Online]. Available: https://doi.org/10.1145/3487552.3487840
  9. C. Inc., “What is a QUIC flood DDoS attack? — QUIC and UDP floods,” https://www.cloudflare.com/learning/ddos/what-is-a-quic-flood/, 2023.
  10. E. Sy, C. Burkert, H. Federrath, and M. Fischer, “A QUIC Look at Web Tracking,” Proceedings on Privacy Enhancing Technology Symphosium, vol. 2019, no. 3, pp. 255–266, 2019. [Online]. Available: https://doi.org/10.2478/popets-2019-0046
  11. P. Zhan, L. Wang, and Y. Tang, “Website fingerprinting on early QUIC traffic,” Computer Networks, vol. 200, p. 108538, 2021. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S1389128621004618
  12. J.-P. Smith, L. Dolfi, P. Mittal, and A. Perrig, “QCSD: A QUIC Client-Side Website-Fingerprinting defence framework,” in 31st USENIX Security Symposium (USENIX Security 22), Aug. 2022, pp. 771–789. [Online]. Available: https://www.usenix.org/conference/usenixsecurity22/presentation/smith
  13. K. Bhargavan, V. Cheval, and C. Wood, “A Symbolic Analysis of Privacy for TLS 1.3 with Encrypted Client Hello,” in Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022, p. 365–379. [Online]. Available: https://doi.org/10.1145/3548606.3559360
  14. M. Trevisan, F. Soro, M. Mellia, I. Drago, and R. Morla, “Attacking DoH and ECH: Does Server Name Encryption Protect Users’ Privacy?” ACM Transactions on Internet Technology, vol. 23, no. 1, Feb 2023. [Online]. Available: https://doi.org/10.1145/3570726
  15. P. Dikshit, J. Sengupta, and V. Bajpai, “Recent Trends on Privacy-Preserving Technologies under Standardization at the IETF,” Computer Communications Review, vol. 53, no. 2, pp. 22–30, 2023. [Online]. Available: https://doi.org/10.1145/3610381.3610385
Citations (2)
View on Semantic Scholar

Summary

No one has generated a summary of this paper yet.

Sign Up to Summarize

Paper to Video (Beta)

No one has generated a video about this paper yet.

Sign Up to Generate All Videos Subscribe on YouTube

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Generate Now

Collections

Sign up for free to add this paper to one or more collections.

Sign Up

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.

Sign Up for Free