Reduce the trackability of QUIC connections #3855
Labels
priority/P4
Planned work. We expect to get to it "soon".
privacy/tracking
Preventing sites from tracking users across the web
privacy
In #190, we decided not to disable QUIC and looking at
chrome://flags/#enable-quic
, it is set to the default value (there is also an enterprise policy for it). Loading https://maps.google.com with the devtools open, I can see in the network tab ("protocol" column) that we're makinghttp/2+quic/43
connections.In light of recently published research, we should probably add a few mitigations to reduce web servers' ability to track using the QUIC protocol.
Here are some proposed mitigations based on the above paper:
server-config
expiry but cap it to:server-config
update messagessource-address
tokens when:server-config
is clearedThe text was updated successfully, but these errors were encountered: