Security News > 2021 > January > Google QUIC-ly left privacy behind in its quest for a speedier internet, boffins find

A trio of researchers from China have found that QUIC is more vulnerable to web fingerprinting than HTTPS, a shortcoming that could make it easier for an adversary to infer which websites an individual is visiting by scrutinizing network traffic.

Google developed QUIC to solve issues like these and the protocol is being worked on in parallel by the Internet Engineering Task Force as a standard.

About five per cent of websites currently support QUIC, according to the paper, and Chromium-based browsers will try QUIC first before falling back to HTTPS if QUIC is unavailable.

The boffins claim that the maximum attack accuracy on QUIC is about 57 per cent, which is 73 per cent higher than on HTTPS. By using "Early traffic" - the initial packets being exchanged - they claim QUIC attack accuracy can reach about 95 per cent with only 40 packets and Simple features, compared to about 60 per cent attack accuracy for HTTPS. The researchers caution that their experiments were conducted in an environment where the traffic quality was pure and that real world network conditions may lead to different results.

"The superior transmission performance of the QUIC protocol brings opportunities for speeding up the Internet, but its security risks bring uncertainties," the boffins conclude.

"...The vulnerability of QUIC on early traffic poses a significant challenge to the privacy and confidentiality guaranteed." .

News URL

https://go.theregister.com/feed/www.theregister.com/2021/01/30/quic_fingerprinting_flaw/