A QUIC Look at Web Tracking

Authors: Erik Sy (University of Hamburg), Christian Burkert (University of Hamburg), Hannes Federrath (University of Hamburg), Mathias Fischer (University of Hamburg)

Volume: 2019
Issue: 3
Pages: 255–266
DOI: https://doi.org/10.2478/popets-2019-0046

Download PDF

Abstract: QUIC has been developed by Google to improve the transport performance of HTTPS traffic. It currently accounts for approx. 7% of the global Internet traffic. In this work, we investigate the feasibility of user tracking via QUIC from the perspective of an online service. Our analysis reveals that the protocol design contains violations of privacy best practices through which a tracker can passively and uniquely identify clients across several connections. This tracking mechanisms can achieve reduced delays and bandwidth requirements compared to conventional browser fingerprinting or HTTP cookies. This allows them to be applied in resource- or time-constrained scenarios such as real-time biddings in online advertising. To validate this finding, we investigated browsers which enable QUIC by default, e.g., Google Chrome. Our results suggest that the analyzed browsers do not provide protective measures against tracking via QUIC. However, the introduced mechanisms reset during a browser restart, which clears the cached connection data and thus limits achievable tracking periods. To mitigate the identified privacy issues, we propose changes to QUIC’s protocol design, the operation of QUIC-enabled web servers, and browser implementations.

Keywords: QUIC Transport Protocol, Network Security, Protocol Design, Privacy Protections, Browser Measurements

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license.