QUIC protocol, RFC 9000: User tracking? How to filter?

I noticed QUIC / HTTP/3 traffic is increasing (UDP at port 443, mainly caused by Facebook/META apps). It defies detailed HTTP / HTTPS filters, established proxies like SQUID cannot filter it (AFAIK not yet), monitoring is difficult.

To my understanding QUIC long and short header bear a "Connection ID" that remains constant even when roaming from one network to another (from LTE to WiFi for instance or from VPN to Home-network). IMHO technically this can be used to follow/track devices even if they switch the egress point and could serve as a substitute for COOKIES.

(Source: https://svs.informatik.uni-hamburg.de/publications/2019/2019-02-26-Sy-PET_Symposium-A_QUIC_Look_at_Web_Tracking.pdf)

Am I correct? Is this common knowledge? Do you block QUIC?

1 Like