Built on top of UDP, the recently standardized QUIC protocol primarily aims to gradually replace the TCP plus TLS plus HTTP/2 model. For instance, HTTP/3 is designed to exploit QUIC's features, including reduced connection establishment time, multiplexing without head of line blocking, always-encrypted end-to-end security, and others. This work serves two key objectives. Initially, it offers the first to our knowledge full-fledged review on QUIC security as seen through the lens of the relevant literature so far. Second and more importantly, through extensive fuzz testing, we conduct a hand-on security evaluation against the most six popular QUIC-enabled production-grade servers. This assessment identified several effective and practical zero-day vulnerabilities, which, if exploited, can quickly overwhelm the server resources. This finding is a clear indication that the fragmented production-level implementations of this contemporary protocol are not yet mature enough. Overall, the work at hand provides the first wholemeal appraisal of QUIC security from both a literature review and empirical standpoint, and it is therefore foreseen to serve as a reference for future research in this timely area.
CHATZOGLOU Efstratios;
KOULIARIDIS Vasileios;
KAROPOULOS Georgios;
KAMPOURAKIS Georgios;
2023-05-15
SPRINGER
JRC129548
1615-5262 (online),
https://link.springer.com/article/10.1007/s10207-022-00630-6,
https://publications.jrc.ec.europa.eu/repository/handle/JRC129548,
10.1007/s10207-022-00630-6 (online),
This document is only visible at the Commission level.
You are not authorized to publish or distribute it outside the European Commission.
This is a public document. You can share this publication.
Additional supporting files
| File name | Description | File type | |
|---|
