A QUIC Look at Web Tracking

Erik Sy 1 , Christian Burkert 2 , Hannes Federrath 3 ,  and Mathias Fischer 4
  • 1 University of Hamburg,
  • 2 University of Hamburg,
  • 3 University of Hamburg,
  • 4 University of Hamburg,


QUIC has been developed by Google to improve the transport performance of HTTPS traffic. It currently accounts for approx. 7% of the global Internet traffic. In this work, we investigate the feasibility of user tracking via QUIC from the perspective of an online service. Our analysis reveals that the protocol design contains violations of privacy best practices through which a tracker can passively and uniquely identify clients across several connections. This tracking mechanisms can achieve reduced delays and bandwidth requirements compared to conventional browser fingerprinting or HTTP cookies. This allows them to be applied in resource- or time-constrained scenarios such as real-time biddings in online advertising. To validate this finding, we investigated browsers which enable QUIC by default, e.g., Google Chrome. Our results suggest that the analyzed browsers do not provide protective measures against tracking via QUIC. However, the introduced mechanisms reset during a browser restart, which clears the cached connection data and thus limits achievable tracking periods. To mitigate the identified privacy issues, we propose changes to QUIC’s protocol design, the operation of QUIC-enabled web servers, and browser implementations.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, and C. Diaz. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 674–689. ACM, 2014.

  • [2] A. Albasir, K. Naik, B. Plourde, and N. Goel. Experimental study of energy and bandwidth costs of web advertisements on smartphones. In Mobile Computing, Applications and Services (MobiCASE), 2014 6th International Conference on, pages 90–97. IEEE, 2014.

  • [3] Alexa Internet Inc. Alexa Top 1,000,000 Sites, 2018. URL http://s3.amazonaws.com/alexa-static/top-1m.csv.zip.

  • [4] M. Bishop. Hypertext Transfer Protocol Version 3 (HTTP/3). Internet-Draft draft-ietf-quic-http-18, Internet Engineering Task Force, Jan. 2019. URL https://datatracker.ietf.org/doc/html/draft-ietf-quic-http-18. Work in Progress.

  • [5] M. Boucadair, M. Ford, P. Roberts, A. Durand, and P. Levis. Issues with IP Address Sharing. RFC 6269, June 2011. URL https://rfc-editor.org/rfc/rfc6269.txt.

  • [6] T. Bujlow, V. Carela-Español, J. Sole-Pareta, and P. Barlet- Ros. A survey on web tracking: Mechanisms, implications, and defenses. Proceedings of the IEEE, 105(8):1476–1510, 2017.

  • [7] G. Combs. Tshark- the Wireshark Network Analyser. URL http://www.wireshark.org, 2017.

  • [8] Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide Scanning and Its Security Applications. In USENIX Security Symposium, volume 8, pages 47–53, 2013.

  • [9] S. Englehardt and A. Narayanan. Online tracking: A 1- million-site measurement and analysis. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 1388–1401. ACM, 2016.

  • [10] S. Englehardt, D. Reisman, C. Eubank, P. Zimmerman, J. Mayer, A. Narayanan, and E. W. Felten. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the 24th International Conference on World Wide Web, pages 289–299. International World Wide Web Conferences Steering Committee, 2015.

  • [11] M. Fischlin and F. Günther. Multi-stage key exchange and the case of Google’s QUIC protocol. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 1193–1204. ACM, 2014.

  • [12] J. Iyengar and M. Thomson. QUIC: A UDP-Based Multiplexed and Secure Transport. Internet-Draft draft-ietf-quictransport- 12, Internet Engineering Task Force, May 2018. URL https://datatracker.ietf.org/doc/html/draft-ietf-quictransport-12. Work in Progress.

  • [13] T. Jager, J. Schwenk, and J. Somorovsky. On the security of tls 1.3 and quic against weaknesses in pkcs# 1 v1. 5 encryption. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 1185–1196. ACM, 2015.

  • [14] C. K. Karlof, U. Shankar, et al. A Usability Study of Doppelganger, A Tool for Better Browser Privacy. 2007.

  • [15] G. Kontaxis and M. Chew. Tracking Protection in Firefox For Privacy and Performance. CoRR, abs/1506.04104, 2015. URL http://arxiv.org/abs/1506.04104.

  • [16] H. Krawczyk and H. Wee. The OPTLS protocol and TLS 1.3. In Security and Privacy (EuroS&P), 2016 IEEE European Symposium on, pages 81–96. IEEE, 2016.

  • [17] A. Langley and C. Wan-Teh. QUIC Crypto, 2018. URL https://www.chromium.org/quic.

  • [18] A. Langley, A. Riddoch, A. Wilk, A. Vicente, C. Krasic, D. Zhang, et al. The QUIC transport protocol: Design and Internet-scale deployment. In Proceedings of the Conference of the ACM Special Interest Group on Data Communication, pages 183–196. ACM, 2017.

  • [19] P. Laperdrix, W. Rudametkin, and B. Baudry. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In Security and Privacy (SP), 2016 IEEE Symposium on, pages 878–894. IEEE, 2016.

  • [20] B. Laurie, A. Langley, and E. Kasper. Certificate Transparency. RFC 6962, June 2013. URL https://rfceditor.org/rfc/rfc6962.txt.

  • [21] R. Lychev, S. Jero, A. Boldyreva, and C. Nita-Rotaru. How secure and quick is QUIC? Provable security and performance analyses. In Security and Privacy (SP), 2015 IEEE Symposium on, pages 214–231. IEEE, 2015.

  • [22] Y. Mansour, S. Muthukrishnan, and N. Nisan. Doubleclick ad exchange auction. CoRR, abs/1204.0535, 2012. URL http://arxiv.org/abs/1204.0535.

  • [23] J. R. Mayer and J. C. Mitchell. Third-party web tracking: Policy and technology. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 413–427. IEEE, 2012.

  • [24] K. Mowery and H. Shacham. Pixel perfect: Fingerprinting canvas in HTML5. Proceedings of W2SP, pages 1–12, 2012.

  • [25] Refsnes Data. The Most Popular Browsers, 2018. URL www.w3schools.com/browsers/.

  • [26] E. Rescorla and N. Sullivan. Semi-Static Diffie-Hellman Key Establishment for TLS 1.3. Internet-Draft draft-rescorlatls13- semistatic-dh-00, Internet Engineering Task Force, Mar. 2018. URL https://datatracker.ietf.org/doc/html/draft-rescorla-tls13-semistatic-dh-00. Work in Progress.

  • [27] E. Rescorla, K. Oku, N. Sullivan, and C. A. Wood. Encrypted Server Name Indication for TLS 1.3. Internet-Draft draft-ietf-tls-esni-02, Internet Engineering Task Force, Oct. 2018. URL https://datatracker.ietf.org/doc/html/draft-ietftls-esni-02. Work in Progress.

  • [28] E. Roman and M. Menke. NetLog: Chrome’s network logging system, 2018. URL https://www.chromium.org/developers/design-documents/network-stack/netlog.

  • [29] J. Rüth, I. Poese, C. Dietzel, and O. Hohlfeld. A First Look at QUIC in the Wild. In International Conference on Passive and Active Network Measurement, pages 255–268. Springer, 2018.

  • [30] S. Schelter and J. Kunegis. On the Ubiquity of Web Tracking: Insights from a Billion-Page Web Crawl. arXiv preprint arXiv:1607.07403, 2016.

  • [31] P. Srisuresh and K. Egevang. Traditional IP network address translator (Traditional NAT). Technical report, 2000.

  • [32] StatCounter. Desktop vs Mobile vs Tablet Market Share Worldwide, 2018. URL gs.statcounter.com/platform-marketshare/desktop-mobile-tablet/worldwide.

  • [33] StatCounter. The Most Popular Browsers, 2019. URL http://gs.statcounter.com/browser-market-share.

  • [34] E. Sy, C. Burkert, H. Federrath, and M. Fischer. Tracking Users Across the Web via TLS Session Resumption. In Proceedings of the 34th Annual Computer Security Applications Conference, ACSAC ’18, pages 289–299, New York, NY, USA, 2018. ACM. ISBN 978-1-4503-6569-7. 10.1145/3274694.3274708. URL http://doi.acm.org/10.1145/3274694.3274708.

  • [35] The Chromium Project. QUIC, a multiplexed stream transport over UDP, 2018. URL https://www.chromium.org/quic.

  • [36] The Chromium Project. QUIC Wire Layout Specification, 2018. URL https://www.chromium.org/quic.

  • [37] S. Yuan, J. Wang, and X. Zhao. Real-time bidding for online advertising: measurement and analysis. In Proceedings of the Seventh International Workshop on Data Mining for Online Advertising, page 3. ACM, 2013.


Journal + Issues