short-paper

On the interplay between TLS certificates and QUIC performance

Authors:

Marcin Nawrocki,

Pouyan Fotouhi Tehrani,

Raphael Hiesgen,

Thomas C. Schmidt,

Matthias WählischAuthors Info & Claims

CoNEXT '22: Proceedings of the 18th International Conference on emerging Networking EXperiments and Technologies

Pages 204 - 213

https://doi.org/10.1145/3555050.3569123

Published: 30 November 2022 Publication History

Abstract

In this paper, we revisit the performance of the QUIC connection setup and relate the design choices for fast and secure connections to common Web deployments. We analyze over 1M Web domains with 272k QUIC-enabled services and find two worrying results. First, current practices of creating, providing, and fetching Web certificates undermine reduced round trip times during the connection setup since sizes of 35% of server certificates exceed the amplification limit. Second, non-standard server implementations lead to larger amplification factors than QUIC permits, which increase even further in IP spoofing scenarios. We present guidance for all involved stakeholders to improve the situation.

References

[1]

D. Eastlake 3rd. 2013. Domain Name System (DNS) IANA Considerations. RFC 6895. IETF.

[2]

Prasenjeet Biswal and Omprakash Gnawali. 2016. Does QUIC Make the Web Faster?. In Proceedings of IEEE Global Communications Conference (GLOBECOM '16). IEEE Press, Piscataway, NJ, USA, 6 pages.

Digital Library

[3]

Frank Cangialosi, Taejoong Chung, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, and Christo Wilson. 2016. Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem. In Proc. of ACM SIGSAC CCS (Vienna, Austria) (CCS '16). ACM, New York, NY, USA, 628--640.

Digital Library

[4]

Gaetano Carlucci, Luca De Cicco, and Saverio Mascolo. 2015. HTTP over UDP: An Experimental Investigation of QUIC. In Proceedings of the 30^th Annual ACM Symposium on Applied Computing (Salamanca, Spain) (SAC '15). ACM, New York, NY, USA, 609--614.

Digital Library

[5]

Sarah Cook, Bertrand Mathieu, Patrick Truong, and Isabelle Hamchaoui. 2017. QUIC: Better for what and for whom?. In Proceedings of IEEE International Conference on Communications (ICC '17). IEEE Press, Piscataway, NJ, USA, 6 pages.

[6]

D. Cooper, S. Santesson, S. Farrell, S. Boeyen, R. Housley, and W. Polk. 2008. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280. IETF.

[7]

Yong Cui, Tianxiang Li, Cong Liu, Xingwei Wang, and Mirja Kühlewind. 2017. Innovating Transport with QUIC: Design Approaches and Research Challenges. IEEE Internet Computing 21, 2 (2017), 72--76.

Digital Library

[8]

Piet De Vaere, Tobias Bühler, Mirja Kühlewind, and Brian Trammell. 2018. Three Bits Suffice: Explicit Support for Passive Measurement of Internet Latency in QUIC and TCP. In Proceedings of the Internet Measurement Conference 2018 (Boston, MA, USA) (IMC '18). ACM, New York, NY, USA, 22--28.

Digital Library

[9]

Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2013. ZMap: Fast Internet-wide Scanning and Its Security Applications. In 22^nd USENIX Security Symposium (USENIX Security '13). USENIX Association, Washington, D.C., 605--620.

[10]

Let's Encrypt. 2021. Let's Encrypt's Hierarchy as of August 2021. Website. https://letsencrypt.org/certificates/ Last Access: Oct 2022.

[11]

Eva Gagliardi and Olivier Levillain. 2020. Analysis of QUIC Session Establishment and Its Implementations. In Information Security Theory and Practice. LNCS, Vol. 12024. Springer Nature, Switzerland, 169--184.

[12]

A. Ghedini and V. Vasiliev. 2020. TLS Certificate Compression. RFC 8879. IETF.

[13]

Google. 2021. Quiche. Commit: Internal change. Open-source repository. https://github.com/google/quiche/commit/36d9a1fbff6e0f8665a1c60c09e19aa38380ae85

[14]

HAW. 2022. Quiche fork with compression. Open-source repository. https://github.com/josephnoir/quiche

[15]

Ralph Holz, Jens Hiller, Johanna Amann, Abbas Razaghpanah, Thomas Jost, Narseo Vallina-Rodriguez, and Oliver Hohlfeld. 2020. Tracking the Deployment of TLS 1.3 on the Web: A Story of Experimentation and Centralization. SIGCOMM Computer Communication Review 50, 3 (July 2020), 3--15.

Digital Library

[16]

Facebook Incubator. 2019. mvfst - An implementation of the QUIC transport protocol. GitHub Repository. https://github.com/facebookincubator/mvfst/ Last Access: Oct 2022.

[17]

J. Iyengar and I. Swett. 2021. QUIC Loss Detection and Congestion Control, Section 6.2.2.1, Before Address Validation. RFC 9002. IETF.

[18]

Janardhan Iyengar and Martin Thomson. 2017. QUIC: A UDP-Based Multiplexed and Secure Transport. Internet-Draft - work in progress 01. IETF.

[19]

Janardhan Iyengar and Martin Thomson. 2017. QUIC: A UDP-Based Multiplexed and Secure Transport. Internet-Draft - work in progress 02. IETF.

[20]

Jana Iyengar and Martin Thomson. 2018. QUIC: A UDP-Based Multiplexed and Secure Transport. Internet-Draft - work in progress 09. IETF.

[21]

Jana Iyengar and Martin Thomson. 2018. QUIC: A UDP-Based Multiplexed and Secure Transport. Internet-Draft - work in progress 10. IETF.

[22]

Jana Iyengar and Martin Thomson. 2018. QUIC: A UDP-Based Multiplexed and Secure Transport. Internet-Draft - work in progress 15. IETF.

[23]

J. Iyengar and M. Thomson. 2021. QUIC: A UDP-Based Multiplexed and Secure Transport. RFC 9000. IETF.

Digital Library

[24]

Jana Iyengar and Martin Thomson. 2021. QUIC: A UDP-Based Multiplexed and Secure Transport. Internet-Draft - work in progress 33. IETF.

[25]

Arash Molavi Kakhki, Samuel Jero, David Choffnes, Cristina Nita-Rotaru, and Alan Mislove. 2017. Taking a Long Look at QUIC: An Approach for Rigorous Evaluation of Rapidly Evolving Transport Protocols. In Proceedings of the 2017 Internet Measurement Conference (London, United Kingdom) (IMC '17). ACM, New York, NY, USA, 290--303.

Digital Library

[26]

Mike Kosek, Trinh Viet Doan, Malte Granderath, and Vaibhav Bajpai. 2022. One to Rule Them All? A First Look at DNS over QUIC. In Proceedings of PAM. Springer International Publishing, Cham, 537--551.

[27]

Mike Kosek, Luca Schumann, Robin Marx, Trinh Viet Doan, and Vaibhav Bajpai. 2022. DNS Privacy with Speed? Evaluating DNS over QUIC and its Impact on Web Performance. In Proceedings of ACM IMC (Nice, France) (IMC '22). ACM, New York, NY, USA. Pre-print.

[28]

Adam Langley, Alistair Riddoch, Alyssa Wilk, Antonio Vicente, Charles Krasic, Dan Zhang, Fan Yang, Fedor Kouranov, Ian Swett, Janardhan Iyengar, Jeff Bailey, Jeremy Dorfman, Jim Roskind, Joanna Kulik, Patrik Westin, Raman Tenneti, Robbie Shade, Ryan Hamilton, Victor Vasiliev, Wan-Teh Chang, and Zhongyi Shi. 2017. The QUIC Transport Protocol: Design and Internet-Scale Deployment. In Proceedings of the Conference of the ACM Special Interest Group on Data Communication (Los Angeles, CA, USA) (SIGCOMM '17). ACM, New York, NY, USA, 183--196.

Digital Library

[29]

Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczyński, and Wouter Joosen. 2019. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In Proceedings of the 26^th Annual Network and Distributed System Security Symposium (NDSS '19). The Internet Society, San Diego, CA, USA.

[30]

Sectigo Limited. 2015. Certificate Search, ID 3958242236. Website. https://crt.sh/?id=3958242236 Last Access: Oct 2022.

[31]

Sectigo Limited. 2015. Certificate Search, ID 9314791. Website. https://crt.sh/?id=9314791 Last Access: Oct 2022.

[32]

Robert Lychev, Samuel Jero, Alexandra Boldyreva, and Cristina Nita-Rotaru. 2015. How Secure and Quick is QUIC? Provable Security and Performance Analyses. In Proceedings of IEEE Symposium on Security and Privacy. IEEE Press, Piscataway, NJ, USA, 214--231.

Digital Library

[33]

Diego Madariaga, Lucas Torrealba, Javier Madariaga, Javiera Bermúdez, and Javier Bustos-Jiménez. 2020. Analyzing the Adoption of QUIC From a Mobile Development Perspective. In Proceedings of the Workshop on the Evolution, Performance, and Interoperability of QUIC (Virtual Event, USA) (EPIQ '20). ACM, New York, NY, USA, 35--41.

Digital Library

[34]

John Mattsson. 2021. Background on the 3x anti-amplification limit. IETF Mail Archive. https://mailarchive.ietf.org/arch/msg/quic/RdeQ_y4dHLzufgtXYccFPBiqrUQ/ Last Access: Oct 2022.

[35]

Patrick McManus. 2020. Does the QUIC handshake require compression to be fast? Fastly Blog. https://www.fastly.com/blog/quic-handshake-tls-compression-certificates-extension-study Last Access May 2021.

[36]

Microsoft. 2022. quicreach. Open-source repository. https://github.com/microsoft/quicreach/

[37]

P.V. Mockapetris. 1987. Domain names - implementation and specification. RFC 1035. IETF.

[38]

Jonas Mücke, Marcin Nawrocki, Raphael Hiesgen, Patrick Sattler, Johannes Zirngibl, Georg Carle, Thomas C. Schmidt, and Matthias Wählisch. 2022. Waiting for QUIC: On the Opportunities of Passive Measurements to Understand QUIC Deployments. Technical Report arXiv:2209.00965. Open Archive: arXiv.org. https://arxiv.org/abs/2209.00965

[39]

Marcin Nawrocki, Raphael Hiesgen, Thomas C. Schmidt, and Matthias Wählisch. 2021. QUICsand: Quantifying QUIC Reconnaissance Scans and DoS Flooding Events. In Proceedings of the 21^st ACM Internet Measurement Conference (Virtual Event) (IMC '21). ACM, New York, NY, USA, 283--291.

Digital Library

[40]

E. Rescorla. 2018. The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446. IETF.

[41]

Christian Rossow. 2014. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In Proceedings of NDSS. Internet Society, 15 pages.

[42]

Jan Rüth, Ingmar Poese, Christoph Dietzel, and Oliver Hohlfeld. 2018. A First Look at QUIC in the Wild. In Passive and Active Measurement (PAM 2018). Springer International Publishing, Cham, 255--268.

[43]

Fabrice J. Ryba, Matthew Orlinski, Matthias Wählisch, Christian Rossow, and Thomas C. Schmidt. 2015. Amplification and DRDoS Attack Defense - A Survey and New Perspectives. Technical Report arXiv:1505.07892. Open Archive: arXiv.org. http://arxiv.org/abs/1505.07892

[44]

Quirin Scheitle, Oliver Hohlfeld, Julien Gamba, Jonas Jelten, Torsten Zimmermann, Stephen D. Strowes, and Narseo Vallina-Rodriguez. 2018. A Long Way to the Top: Significance, Structure, and Stability of Internet Top Lists. In Proceedings of the Internet Measurement Conference 2018 (Boston, MA, USA) (IMC '18). ACM, New York, NY, USA, 478--493.

Digital Library

[45]

Tanya Shreedhar, Rohit Panda, Sergey Podanev, and Vaibhav Bajpai. 2022. Evaluating QUIC Performance Over Web, Cloud Storage, and Video Workloads. IEEE Transactions on Network and Service Management 19, 2 (2022), 1366--1381.

Digital Library

[46]

Jean-Pierre Smith, Prateek Mittal, and Adrian Perrig. 2021. Website Fingerprinting in the Age of QUIC. Proceedings on Privacy Enhancing Technologies 2021, 2 (2021), 48--69.

[47]

Martin Thomson. 2018. Space for Packet Metadata. IETF Mail Archive. https://mailarchive.ietf.org/arch/msg/quic/wzrNfxRCwwgfw499Dh0YsHYTSoI/Last Access: Oct 2022.

[48]

M. Thomson and S. Turner. 2021. Using TLS to Secure QUIC. RFC 9001. IETF.

[49]

Martino Trevisan, Danilo Giordano, Idilio Drago, Maurizio Matteo Munafò, and Marco Mellia. 2020. Five Years at the Edge: Watching Internet From the ISP Network. IEEE/ACM Transactions on Networking 28, 2 (2020), 561--574.

Digital Library

[50]

TUM. 2021. QScanner. Open-source repository. https://github.com/tumi8/QScanner

[51]

Konrad Wolsing, Jan Rüth, Klaus Wehrle, and Oliver Hohlfeld. 2019. A Performance Perspective on Web Optimized Protocol Stacks: TCP+TLS+HTTP/2 vs. QUIC. In Proceedings of the Applied Networking Research Workshop (Montreal, QC, Canada) (ANRW '19). ACM, New York, NY, USA, 1--7.

Digital Library

[52]

Johannes Zirngibl, Philippe Buschmann, Patrick Sattler, Benedikt Jaeger, Juliane Aulbach, and Georg Carle. 2021. It's over 9000: Analyzing Early QUIC Deployments with the Standardization on the Horizon. In Proceedings of the 21^st ACM Internet Measurement Conference (Virtual Event) (IMC '21). ACM, New York, NY, USA, 261--275.

Digital Library

Cited By

Mücke JNawrocki MHiesgen RSchmidt TWählisch MVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)ReACKed QUICer: Measuring the Performance of Instant Acknowledgments in QUIC HandshakesProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689022(389-400)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689022
Hiesgen RNawrocki MBarcellos MKopp DHohlfeld OChan EDobbins RDoerr CRossow CThomas DJonker MMok RLuo XKristoff JSchmidt TWählisch Mclaffy kVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)The Age of DDoScovery: An Empirical Comparison of Industry and Academic DDoS AssessmentsProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688451(259-279)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688451
Zhang XJin SHe YHassan AMao ZQian FZhang ZChua TNgo CKa-Wei Lee RKumar RLauw H(2024)QUIC is not Quick Enough over Fast InternetProceedings of the ACM Web Conference 202410.1145/3589334.3645323(2713-2722)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645323
Show More Cited By

Index Terms

On the interplay between TLS certificates and QUIC performance
1. Networks

Recommendations

The QUIC Transport Protocol: Design and Internet-Scale Deployment
SIGCOMM '17: Proceedings of the Conference of the ACM Special Interest Group on Data Communication

We present our experience with QUIC, an encrypted, multiplexed, and low-latency transport protocol designed from the ground up to improve transport performance for HTTPS traffic and to enable rapid deployment and continued evolution of transport ...
Multipath QUIC: Design and Evaluation
CoNEXT '17: Proceedings of the 13th International Conference on emerging Networking EXperiments and Technologies

Quick UDP Internet Connection (QUIC) is a recent protocol initiated by Google that combines the functions of HTTP/2, TLS, and TCP directly over UDP, with the goal to reduce the latency of client-server communication. It can replace the traditional HTTP/...
Faster Post-Quantum TLS Handshakes Without Intermediate CA Certificates
Cyber Security, Cryptology, and Machine Learning
Abstract
Traditionally, the most data-heavy part of a (D)TLS handshake has been authentication which includes a handshake signature and digital certificates. Although most common (D)TLS usecases are not significantly affected, some constrained ones such as ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CoNEXT '22: Proceedings of the 18th International Conference on emerging Networking EXperiments and Technologies

November 2022

431 pages

ISBN:9781450395083

DOI:10.1145/3555050

General Chairs:
Giuseppe Bianchi
University of Rome Tor Vergata, Italy
,
Alessandro Mei
Sapienza University of Rome, Italy

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 November 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Qualifiers

Short-paper

Conference

CoNEXT '22

Sponsor:

SIGCOMM

CoNEXT '22: The 18th International Conference on emerging Networking EXperiments and Technologies

December 6 - 9, 2022

Roma, Italy

Acceptance Rates

CoNEXT '22 Paper Acceptance Rate 28 of 151 submissions, 19%;

Overall Acceptance Rate 198 of 789 submissions, 25%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
672
Total Downloads

Downloads (Last 12 months)196
Downloads (Last 6 weeks)17

Reflects downloads up to 26 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Mücke JNawrocki MHiesgen RSchmidt TWählisch MVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)ReACKed QUICer: Measuring the Performance of Instant Acknowledgments in QUIC HandshakesProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3689022(389-400)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3689022
Hiesgen RNawrocki MBarcellos MKopp DHohlfeld OChan EDobbins RDoerr CRossow CThomas DJonker MMok RLuo XKristoff JSchmidt TWählisch Mclaffy kVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)The Age of DDoScovery: An Empirical Comparison of Industry and Academic DDoS AssessmentsProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688451(259-279)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688451
Zhang XJin SHe YHassan AMao ZQian FZhang ZChua TNgo CKa-Wei Lee RKumar RLauw H(2024)QUIC is not Quick Enough over Fast InternetProceedings of the ACM Web Conference 202410.1145/3589334.3645323(2713-2722)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645323
Dahlmanns MHeidenreich FLohmöller JPennekamp JWehrle KHenze M(2024)Unconsidered Installations: Discovering IoT Deployments in the IPv6 InternetNOMS 2024-2024 IEEE Network Operations and Management Symposium10.1109/NOMS59830.2024.10574963(1-8)Online publication date: 6-May-2024
https://doi.org/10.1109/NOMS59830.2024.10574963
Zirngibl JGebauer FSattler PSosnowski MCarle G(2024)QUIC Hunter: Finding QUIC Deployments and Identifying Server Libraries Across the InternetPassive and Active Measurement10.1007/978-3-031-56252-5_13(273-290)Online publication date: 11-Mar-2024
https://dl.acm.org/doi/10.1007/978-3-031-56252-5_13
Kosek MSpies BOtt J(2023)Secure Middlebox-Assisted QUIC2023 IFIP Networking Conference (IFIP Networking)10.23919/IFIPNetworking57963.2023.10186363(1-9)Online publication date: 12-Jun-2023
https://doi.org/10.23919/IFIPNetworking57963.2023.10186363
Teyssier BJoarder YFung C(2023)An Empirical Approach to Evaluate the Resilience of QUIC Protocol Against Handshake Flood Attacks2023 19th International Conference on Network and Service Management (CNSM)10.23919/CNSM59352.2023.10327907(1-9)Online publication date: 30-Oct-2023
https://doi.org/10.23919/CNSM59352.2023.10327907
Kampanakis PLepoint T(2023)Vision Paper: Do We Need to Change Some Things?Security Standardisation Research10.1007/978-3-031-30731-7_4(78-102)Online publication date: 22-Apr-2023
https://dl.acm.org/doi/10.1007/978-3-031-30731-7_4

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents