Which secure transport protocol for a reliable HTTP/2-based web service: TLS or QUIC?

Web browsing protocols are currently gaining the interest of the researchers. Indeed, HTTP/2, an improvement of HTTP/1.1 has been standardized in 2015 and meanwhile, Google proposed another transport protocol, QUIC (Quick UDP Internet Connection). The main objective of the two protocols is to improve end-users quality of experience and communications security. Current HTTP/2-based web servers rely on the standardized TLS (Transport Layer Security) protocol, on top of TCP. Google has developed its own security system, natively integrated within QUIC, and runs on top of UDP. If performance issues, comparing HTTP/2 over TLS/TCP and QUIC/UDP, have been investigated by few researchers, no one studied the security aspects of the two transport protocols. This paper aims at filling this gap and proposes a first security analysis of TLS/TCP and QUIC/UDP. Based on their characteristics, this paper identifies the vulnerabilities of the two protocols and evaluates their impacts on HTTP/2-based web services. This study can enable web servers developers or administrators to either select TLS/TCP or QUIC/UDP.

[1]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[2]  Frederik Vercauteren,et al.  A cross-protocol attack on the TLS protocol , 2012, CCS.

[3]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[4]  George C. Hadjichristofi,et al.  Internet of Things: Security vulnerabilities and challenges , 2015, 2015 IEEE Symposium on Computers and Communication (ISCC).

[5]  Christof Paar,et al.  DROWN: Breaking TLS Using SSLv2 , 2016, USENIX Security Symposium.

[6]  Alan O. Freier,et al.  Internet Engineering Task Force (ietf) the Secure Sockets Layer (ssl) Protocol Version 3.0 , 2022 .

[7]  Omprakash Gnawali,et al.  Does QUIC Make the Web Faster? , 2016, 2016 IEEE Global Communications Conference (GLOBECOM).

[8]  Wouter Bokslag,et al.  The problem of popular primes: Logjam , 2016, ArXiv.

[9]  Ryan Hamilton,et al.  QUIC: A UDP-Based Secure and Reliable Transport for HTTP/2 , 2016 .

[10]  Marc Fischlin,et al.  Multi-Stage Key Exchange and the Case of Google's QUIC Protocol , 2014, CCS.

[11]  Cristina Nita-Rotaru,et al.  How Secure and Quick is QUIC? Provable Security and Performance Analyses , 2015, 2015 IEEE Symposium on Security and Privacy.

[12]  Bruce M. Maggs,et al.  Protecting Websites from Attack with Secure Delivery Networks , 2015, Computer.

[13]  Jorge Sá Silva,et al.  Security for the Internet of Things: A Survey of Existing Protocols and Open Research Issues , 2015, IEEE Communications Surveys & Tutorials.

[14]  Martin Thomson,et al.  Hypertext Transfer Protocol Version 2 (HTTP/2) , 2015, RFC.

[15]  Jens Mache,et al.  Hands-on denial of service lab exercises using SlowLoris and RUDY , 2012, InfoSecCD.

[16]  Sean Turner,et al.  Transport Layer Security , 2014, IEEE Internet Computing.

[17]  Bertrand Mathieu,et al.  QUIC: Better for what and for whom? , 2017, 2017 IEEE International Conference on Communications (ICC).

[18]  H. T. Mouftah,et al.  Big Data Analytics: Security and privacy challenges , 2016, 2016 IEEE Symposium on Computers and Communication (ISCC).

[19]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..

[20]  Roberto Peon,et al.  HPACK: Header Compression for HTTP/2 , 2015, RFC.

[21]  Robbie Shade,et al.  HTTP/2 Semantics Using The QUIC Transport Protocol , 2016 .