QUIC has been developed by Google to improve the transport performance of HTTPS traffic. It currently accounts for approx. 7% of the global Internet traffic. In this work, we investigate the feasibility of user tracking via QUIC from the perspective of an online service. Our analysis reveals that the protocol design contains violations of privacy best practices through which a tracker can passively and uniquely identify clients across several connections. This tracking mechanisms can achieve reduced delays and bandwidth requirements compared to conventional browser fingerprinting or HTTP cookies. This allows them to be applied in resource- or time-constrained scenarios such as real-time biddings in online advertising. To validate this finding, we investigated browsers which enable QUIC by default, e.g., Google Chrome. Our results suggest that the analyzed browsers do not provide protective measures against tracking via QUIC. However, the introduced mechanisms reset during a browser restart, which clears the cached connection data and thus limits achievable tracking periods. To mitigate the identified privacy issues, we propose changes to QUIC’s protocol design, the operation of QUIC-enabled web servers, and browser implementations.
If the inline PDF is not rendering correctly, you can download the PDF file here.
 G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, and C. Diaz. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 674–689. ACM, 2014.
 A. Albasir, K. Naik, B. Plourde, and N. Goel. Experimental study of energy and bandwidth costs of web advertisements on smartphones. In Mobile Computing, Applications and Services (MobiCASE), 2014 6th International Conference on, pages 90–97. IEEE, 2014.
 Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide Scanning and Its Security Applications. In USENIX Security Symposium, volume 8, pages 47–53, 2013.
 S. Englehardt and A. Narayanan. Online tracking: A 1- million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 1388–1401. ACM, 2016.
 S. Englehardt, D. Reisman, C. Eubank, P. Zimmerman, J. Mayer, A. Narayanan, and E. W. Felten. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the 24th International Conference on World Wide Web, pages 289–299. International World Wide Web Conferences Steering Committee, 2015.
 M. Fischlin and F. Günther. Multi-stage key exchange and the case of Google’s QUIC protocol. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 1193–1204. ACM, 2014.
 T. Jager, J. Schwenk, and J. Somorovsky. On the security of tls 1.3 and quic against weaknesses in pkcs# 1 v1. 5 encryption. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 1185–1196. ACM, 2015.
 C. K. Karlof, U. Shankar, et al. A Usability Study of Doppelganger, A Tool for Better Browser Privacy. 2007.
 A. Langley, A. Riddoch, A. Wilk, A. Vicente, C. Krasic, D. Zhang, et al. The QUIC transport protocol: Design and Internet-scale deployment. In Proceedings of the Conference of the ACM Special Interest Group on Data Communication, pages 183–196. ACM, 2017.
 P. Laperdrix, W. Rudametkin, and B. Baudry. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In Security and Privacy (SP), 2016 IEEE Symposium on, pages 878–894. IEEE, 2016.
 R. Lychev, S. Jero, A. Boldyreva, and C. Nita-Rotaru. How secure and quick is QUIC? Provable security and performance analyses. In Security and Privacy (SP), 2015 IEEE Symposium on, pages 214–231. IEEE, 2015.
 E. Sy, C. Burkert, H. Federrath, and M. Fischer. Tracking Users Across the Web via TLS Session Resumption. In Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC ’18, pages 289–299, New York, NY, USA, 2018. ACM. ISBN 978-1-4503-6569-7. 10.1145/3274694.3274708. URL http://doi.acm.org/10.1145/3274694.3274708.
 S. Yuan, J. Wang, and X. Zhao. Real-time bidding for online advertising: measurement and analysis. In Proceedings of the Seventh International Workshop on Data Mining for Online Advertising, page 3. ACM, 2013.