Securing the Next Version of HTTP: How QUIC and HTTP/3 Compare to HTTP/2

Presented at Black Hat Asia 2020 Virtual, Oct. 1, 2020, 11:20 a.m. (40 minutes).

<span>QUIC is a new always-encrypted general-purpose transport protocol being standardized at the IETF designed for multiplexing multiple streams of data on a single connection. HTTP/3 runs over QUIC and roughly replaces HTTP/2 over TLS and TCP. QUIC combines the cryptographic and transport handshakes in a way to allow connecting to a new server in a single round trip and to allow establishing a resumed connection in zero round trips, with the client sending encrypted application data in its first flight. QUIC uses TLS 1.3 as the basis for its cryptographic handshake.</span><br><br><span>This talk will provide an overview of what the QUIC protocol does and how it works, and then will dive deep into some of the technical details. The deep dive will focus on security-related aspects of the protocol, including how QUIC combines the transport and cryptographic handshakes, and how resumption, including zero-round-trip resumption works. This will also cover how QUIC’s notion of a connection differs from the 5-tuple sometimes used to identify connections, and what QUIC looks like on the wire.</span><br><br><span>In addition to covering details of how QUIC works, this talk will also address implementation and deployment considerations. This will include how a load balancer can be used with cooperating servers to route connections to a fleet of servers while still maintaining necessary privacy and security properties. It will also look back at some of the issues with HTTP/2 and discuss which ones may need to be addressed in QUIC implementations as well or are solved by the design of QUIC and HTTP/3.</span>

Presenters:

  • Nick Harper - Senior Software Engineer, Google
    Nick Harper is a Senior Software Engineer at Google working on the Chrome Networking stack. He is currently focused on implementing and deploying all encryption-related parts of QUIC at Google, including replacing Google's custom crypto handshake protocol with TLS 1.3. He also participates in standards work at the IETF in multiple working groups, including QUIC and TLS.

Links:

Similar Presentations: