Take the best of the Transmission Control Protocol (TCP), add the security of TLS encryption, and then make them establish a connection and transfer data 3 times faster. If you think that’s impossible, you haven’t heard of QUIC. Can any internet protocol be that perfect? Find out more about QUIC below.
What is QUIC?
QUIC (Quick UDP Internet Connection) is a new encrypted transport layer network protocol. QUIC was designed to make HTTP traffic more secure, efficient, and faster. Theoretically, QUIC has taken all the best qualities of TCP connections and TLS encryption and implemented it on UDP. But if QUIC is so similar to TCP+TLS over an HTTP/2 connection, why did it need to be created?
- Reduced connection times. To establish TLS encryption, the client and the server need to perform a TLS handshake and exchange encryption keys. It’s a “lengthy” process in IT terms, as there are 4 round-trip requests involved. When the data is transferred over TCP, even more steps are added to this process, slowing down the connection even more. QUIC replaces all of this with a single handshake.
- Better performance when data packets are lost. HTTP/2 on TCP can suffer from head-of-line blocking, a phenomenon where a line of data packets can be held up by the first packet. If one data packet is lost, the recipient must wait for it to be retrieved, which has a huge impact on connection performance. The QUIC protocol solves this problem by allowing streams of data to reach their destination independently. They no longer need to wait for the missing data packet to be repaired.
- Stable connections when networks are changed. If you are connected to a web server via TCP and your network suddenly changes (from Wi-Fi to 4G, for example), each connection times out and needs to be reestablished. QUIC allows for a smoother transition by giving each connection to a web server a unique identifier. These can be reestablished by simply sending a packet rather than establishing a new connection, even if your IP changes.
- Easier to improve and develop. TCP is implemented in operating system kernels, which means changing it is close to impossible. QUIC can be implemented on the application level, making it a more flexible protocol.
Google is one of QUIC’s leading adopters. It’s enabled by default on Google Chrome and Opera 16, Google search, Gmail, Youtube, and other Google services. Chrome takes up 70% of the browser market share, so you can expect other browsers to start employing this protocol very soon.
Is QUIC as flawless as it seems?
There are few downsides to the QUIC protocol. It improves web communications and reduces latency, but it’s still in its experimental stages. It’s not widely adopted by other websites or web servers, nor is it supported by cybersecurity tools such as firewalls. Because of this, experimental QUIC protocol can currently open a security loophole.
Firewalls pass HTTP and HTTPS traffic through a web protection module, which performs malware scanning. But what happens if the connection is made via QUIC? Well, the browser and supporting web servers do recognize it as a QUIC connection, but the device you are browsing on may not. It treats it like simple UDP traffic, which doesn’t get sent to your firewall’s web protection module.
What can you do?
Until it’s adopted more widely and recognized by most firewalls, it’s recommended to block or disable QUIC:
- Open your Chrome browser and enter chrome://flags/ into your address bar. Here you’ll see all experimental features available on Chrome.
- Find Experimental QUIC protocol and select Disabled.
For more cybersecurity tips, subscribe to our free monthly newsletter below!