1

I've been seeing a large number of companies, including Cloudflare who just sent out a notice to their customers about enabling HTTP/3 via QUIC recently, touting HTTP/3 based on QUIC as 'much better' than the older HTTP protocols.

I understand the underlying improvements QUIC and HTTP/3 will introduce - bandwidth handling in a better way, faster connection times, end-to-end encryption, etc.

What I'm missing is a security analysis of QUIC connections and HTTP/3. To my knowledge QUIC has its own headaches, especially on a corporate environment with content filtering going on, and I want to get a better idea of the main security concerns that exist for permitting QUIC and HTTP/3 outbound on the network. Does anyone have any idea of the primary security concerns that arise from HTTP/3 and QUIC?

Thomas Ward
  • 731
  • 1
  • 7
  • 24
  • @SteffenUllrich Not really, any of the items on that thread are ~ 2 years old and obsolete, also were not written around HTTP/3 QUIC. Which is why I'm looking for a more up to date security concern listing. – Thomas Ward Oct 01 '20 at 21:08
  • 1
    There is not really anything new. HTTP/3 QUIC by itself does not introduce a new security risks apart from the usual risks which come with added complexity and new implementations. The main point regarding filtering is still that firewalls might not support it and thus might be blind in this case - as I've already described in my answer four years ago. – Steffen Ullrich Oct 01 '20 at 21:18

0 Answers0