The Internet changes: HTTP/3 will not use TCP anymore

QUIC is the protocol underlying the next version of HTTP

The Internet Engineering Task Force (IETF) has revealed that the third official version of HyperText Transfer Protocol (HTTP) will not use TCP anymore. Instead, it will run over the QUIC protocol first developed by Google back in 2012.

WHAT IS QUIC?

Quick UDP Internet Connections (QUIC) is, as its name states, a transport layer protocol based on multiplexed UDP connections. In fact, QUIC uses a combination of TCP + TLS + SPDY over UDP with several enhancements with respect to the current HTTP/2 over TCP implementation.

The IETF has been working on a standardized version of Google’s QUIC since 2016, and it was recently that they announced their intention to include it for the new HTTP/3 version. However, the IETF QUIC version already diverged significantly from the original QUIC design.

Position of HTTP/3 and QUIC in the protocol stack

QUIC protocol aims for simplicity and speed while maintaining security thanks to the TLS 1.3 encryption. They developed a more efficient protocol in terms of connection establishment and data transfer. According to Google, QUIC handshakes frequently require zero roundtrips before sending payload, as compared to 1–3 roundtrips for TCP+TLS. Actually, the first connection ever requires one roundtrip and the followings will work with zero.

Furthermore, it deals better with packet loss than the current TCP. Every retransmitted packet consumes a new sequence number, hence eliminating ambiguities and preventing losses from causing RTO. As Jana Iyengar from IETF states, QUIC is not only a redefinition of the Internet transport layer but a reinvention to do the transport right.

At the moment, only 1.2 % of the top websites support QUIC, but they are generally high-traffic sites: almost every Google service supports their own QUIC protocol.

IS QUIC SECURE?

QUIC first development included its own encryption. However, it was just a temporary implementation destined to be replaced by TLS 1.3 as described by the IETF.

Actually, the connection establishment strategy of QUIC is based on the combination of crypto and transport handshake.

QUIC relies on a combined cryptographic and transport handshake to

minimize connection establishment latency.

Integration of QUIC and TLS, adapted from the IETF’s draft of “Using Transport Layer Security (TLS) to Secure QUIC”.

With QUIC, Everything will be encrypted by default. Nevertheless, there are indeed security risks with QUIC as with any other technology.

The work of Robert Lychev and Samuel Jero in 2015 reported several weaknesses of the protocol. QUIC performance can be degraded by attacks like the Server Config Replay Attack. However, the confidentiality and the authenticity of the data seem to be properly secured according to their security model and tests.

If you want to learn more about QUIC and how it will be integrated into the next version of HTTP, I strongly recommend you to check the official documentation from Google and the drafts published by IETF. You can find them in the bibliography of this article!