Hello Stephane, Could you give more (technical) details why you feel long-lived QUIC connections can allow user tracking, and specifically in the IP-switching case?
For an on-path attacker observing encrypted QUIC (at one vantage point), they shouldn't be able to (easily) correlate migrated QUIC connections as the Connection IDs change during (active) migration. For an attacker with access to the decrypted payloads, I'm not sure how QUIC differs from TCP or H3 differs from H2 in your view? With best regards, Robin On Mon, 7 Jun 2021 at 14:39, Stephane Bortzmeyer <bortzme...@nic.fr> wrote: > I was thinking about the privacy risks of QUIC and there is one where > I'm not sure what to think of it, and for which I cannot find any > discussion in the archives of the WG. > > Long-term QUIC connections may enable some user tracking, even when > the user changes its IP address, without even needing HTTP cookies or > things like that. > > I am not sure it is a real problem in practice because it's not new > (HTTP/2 offered similar possibilities), there are many other ways to > track users (HTTP cookies, browser fingerprinting, Google Analytics), > and they even work cross-servers. But it can be a problem for > privacy-oriented technologies (QUIC cannot currently work over Tor but > may be in the future?) > > I do not find discussions about that. Was it considered? (If so, you > are welcome to reply "Search with mailarchive yourself" but I prefer > if it comes with URLs and/or approximate datetimes.) Is it, for > instance, a good idea to advise privacy-oriented clients to always > shut down QUIC connections when IP address changes? > > > > > > -- dr. Robin Marx Postdoc researcher - Web protocols Expertise centre for Digital Media *Cellphone *+32(0)497 72 86 94 www.uhasselt.be Universiteit Hasselt - Campus Diepenbeek Agoralaan Gebouw D - B-3590 Diepenbeek Kantoor EDM-2.05
