Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reduce the trackability of QUIC connections #3855

Open
fmarier opened this issue Mar 22, 2019 · 0 comments
Open

Reduce the trackability of QUIC connections #3855

fmarier opened this issue Mar 22, 2019 · 0 comments
Labels
priority/P4 Planned work. We expect to get to it "soon". privacy/tracking Preventing sites from tracking users across the web privacy

Comments

@fmarier
Copy link
Member

fmarier commented Mar 22, 2019

In #190, we decided not to disable QUIC and looking at chrome://flags/#enable-quic, it is set to the default value (there is also an enterprise policy for it). Loading https://maps.google.com with the devtools open, I can see in the network tab ("protocol" column) that we're making http/2+quic/43 connections.

In light of recently published research, we should probably add a few mitigations to reduce web servers' ability to track using the QUIC protocol.

Here are some proposed mitigations based on the above paper:

  • respect server-config expiry but cap it to:
    • 60 min (or 24h if 60 min is too aggressive) for first-party connections
    • 10 min for third-party connections
  • ignore server-config update messages
  • clear source-address tokens when:
    • IP address changes
    • server-config is cleared
@fmarier fmarier added the privacy/tracking Preventing sites from tracking users across the web label Mar 22, 2019
@tildelowengrimm tildelowengrimm added the priority/P4 Planned work. We expect to get to it "soon". label Aug 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
priority/P4 Planned work. We expect to get to it "soon". privacy/tracking Preventing sites from tracking users across the web privacy
Projects
None yet
Development

No branches or pull requests

2 participants