Google QUIC is vulnerable to cyber criminal activity, creates a ‘black hole’ that hackers can exploit.

[D.Draker]

"While touted as an alternative to TCP, QUIC poses several security concerns for network operators. Standard network security appliances cannot easily identify QUIC traffic, which makes this network protocol vulnerable to cyber criminal activity."

 

"Why do Network Security Teams Not Like Google QUIC?

Despite its perceived positives, QUIC could inadvertently have a negative impact on network security. That’s because security appliances like firewalls and network sensors typically are not able to access information they had previously relied on with legacy TCP sessions. This creates a ‘black hole’ that hackers can exploit.

 

Here’s the main problem: Standard network security devices can’t determine the QUIC application protocol, viewing it like layer 4 UDP traffic. While browsers and supported web servers can differentiate between QUIC traffic and other traffic, standard network security like firewalls can’t.

 

This means firewalls are less effective at detecting incoming threats, putting network security at risk. To complicate the challenge for cyber threat hunters, Google revises its protocol frequently, and threat detection tools must catch up with these ever-changing standards. There are other issues.

 

QUIC, similar to TLS 1.3, applies its encryption at the transport layer and not in the higher layers. Hence, it encrypts all transport information, which can virtually eliminate the attack surface that TCP offers. Plus, it’s increasingly difficult to measure and analyze QUIC traffic using reporting tools because, again, firewalls and standard network sensors don’t recognize it.  This is a plus for consumer privacy but causes significant challenges for those responsible for protecting our communications networks."

source.

https://netquestcorp.com/google-quic-and-network-security/

[Sampei.Nihira]

Read this instead of your generic article:

https://datatracker.ietf.org/doc/rfc9000/

If you can't make it out what is written don't waste your time rebutting I will not provide any elucidation because that would be wasting my valuable time.

And say thank you once in a while.

[D.Draker]

7 hours ago, Sampei.Nihira said:

Read this instead of your generic article:

https://datatracker.ietf.org/doc/rfc9000/

Are you sure you read that article yourself? Doesn't look like it.

"21.5.5.  Request Forgery with Version Negotiation

  "Clients that are able to present a spoofed source address on a packet

   can cause a server to send a Version Negotiation packet

   (Section 17.2.1) to that address.

   The absence of size restrictions on the connection ID fields for

   packets of an unknown version increases the amount of data that the

   client controls from the resulting datagram.  The first byte of this

   packet is not under client control and the next four bytes are zero,

   but the client is able to control up to 512 bytes starting from the

   fifth byte.

   No specific countermeasures are provided for this attack, though

   generic protections (Section 21.5.6) could apply.  In this case,

   ingress filtering [BCP38] is also effective."

https://datatracker.ietf.org/doc/rfc9000/

[NotHereToPlayGames]

3 minutes ago, D.Draker said:

Are you sure you read that article yourself? Doesn't look like it.

I'm not quite understanding the underlying hostility?  The voting is 100% (at time of post) "I don't, and not going to. I think it's unsafe." so doesn't that tell us that you have both voted the same exact "it's unsafe"?

[D.Draker]

8 hours ago, Sampei.Nihira said:

If you can't make it out what is written don't waste your time rebutting

And say thank you once in a while.

No matter your mood, you're demanded to be respectful on the forum.

https://msfn.org/board/guidelines/

And stop insulting once in a while.

7.b This community is built upon mutual respect. You are not allowed to flame other members. People who do not respect personal opinions and/or personal work will be warned in first instance.

If you ignore the warning and keep on flaming, you will be banned without notice.

You ignored that rule 75389623702702037 times.

8 hours ago, Sampei.Nihira said:

I will not provide any elucidation because that would be wasting my valuable time.

Good, less dangerous advice.

Don't like my topics? Ignore. 

[Sampei.Nihira]

@D.Draker

The person who wrote the article is a Mozilla engineer.
Are you aware that in Firefox,the QUIC protocol is enabled by default?

[D.Draker]

3 hours ago, Sampei.Nihira said:

@D.Draker

The person who wrote the article is a Mozilla engineer.
Are you aware that in Firefox,the QUIC protocol is enabled by default?

This topic is about Google's QUIC implementation, which is clearly shown in the title, yet it obviously doesn't prevent you from posting off-topic and insulting, all as usual with your posts.

[D.Draker]

3 hours ago, NotHereToPlayGames said:

I'm not quite understanding the underlying hostility? 

Please specify, where do you see "hostility" from my side? In that article, provided by the actually hostile member, which I merely quoted, the developer himself points out to severe flaws, and I only quoted one.

Besides, I made the topic about Google's QUIC implementation, which is clearly shown in the title, not Forefox. Strange you both still didn't read the title.

[D.Draker]

3 hours ago, NotHereToPlayGames said:

The voting is 100% (at time of post) "I don't, and not going to. I think it's unsafe." so doesn't that tell us that you have both voted the same exact "it's unsafe"?

Don't agree? You're very welcome to vote for No.1 or whatever you like.

[Sampei.Nihira]

@D.Draker

 

Everything I write for you to learn is always Off Topic.

Are you aware that in Chromium-based browsers you have to select "disabled" to not use (client-side) the QUIC protocol?
It is not enough to leave the "default" setting.

So there are millions of users in the World using QUIC in chromium-based browsers without any security problems.

Because server-side when a website uses QUIC ( example Amazon) has implemented it anyway.

With this post my intervention is definitely concluded.

Good luck for your poll.

Edited April 2 by Sampei.Nihira

[NotHereToPlayGames]

31 minutes ago, D.Draker said:

Don't agree? You're very welcome to vote for No.1 or whatever you like.

I do agree, unsafe, not for me.  Don't care if it's Google QUIC or non-Google QUIC - neither is for me.

But no, I did not vote, nor plan to.

Some topics seem to only exist for the sake of Provocateur Extraordinaire - this one has already unfolded as such so I'll leave it to "you two" to duke it out, "not for me".

[D.Draker]

3 hours ago, NotHereToPlayGames said:

I do agree, unsafe, not for me.  Don't care if it's Google QUIC or non-Google QUIC - neither is for me.

Thank you for your honest opinion! I'm outta likes for today, unfortunately, that's why I write this in plain words.

Glad to be of help, that's the reason I made this topic.

 

3 hours ago, NotHereToPlayGames said:

But no, I did not vote, nor plan to.

It would still be helpful if you voted.

[D.Draker]

3 hours ago, Sampei.Nihira said:

Are you aware that in Chromium-based browsers you have to select "disabled" to not use (client-side) the QUIC protocol?
It is not enough to leave the "default" setting.

I don't rely on "user allowed" settings as they come back to default each time when a new profile is made, so I use it via cmd --disable-quic , without quotes of course.

[NotHereToPlayGames]

1 hour ago, Sampei.Nihira said:

@D.Draker

 

Everything I write for you to learn is always Off Topic.

Are you aware that in Chromium-based browsers you have to select "disabled" to not use (client-side) the QUIC protocol?
It is not enough to leave the "default" setting.

So there are millions of users in the World using QUIC in chromium-based browsers without any security problems.

Because server-side when a website uses QUIC ( example Amazon) has implemented it anyway.

With this post my intervention is definitely concluded.

Good luck for your poll.

Cannot replicate here in the US.  At least not in Ungoogled Chromium v114.

Edited April 2 by NotHereToPlayGames

[Sampei.Nihira]

@NotHereToPlayGames

Thank you for your test.
The conclusion is that any user who does not want to use QUIC should test with their browser's development tools.