A Quic(k) Security Overview: A Literature Research on Implemented Security Recommendations

Built on top of UDP, the relatively new QUIC protocol serves as the baseline for modern web protocol stacks. Equipped with a rich feature set, the protocol is defined by a 151 pages strong IETF stan-dard complemented by several additional documents. Enabling fast updates and feature iteration, most QUIC implementations are im-plemented as user space libraries leading to a large and fragmented ecosystem. This work addresses the research question, "if a complex standard with a large number of different implementations leads to an insecure ecosystem?". The relevant RFC documents were studied and "Security Consideration" items describing conceptional prob-lems were extracted. During the research, 13 popular production ready QUIC implementations were compared by evaluating 10 se-curity considerations from RFC9000. While related studies mostly focused on the functional part of QUIC, this study confirms that available QUIC implementations are not yet mature enough from a security point of view.