QUIC and HTTP/3: The Next Step in Web Security and Performance

Transcript

1. HTTP/3 & QUIC MARCUS BOINTON @ IT SECURITY SUMMIT BERLIN

   2026 The next step in web performance

2. Marcus Bointon Skier Songwriter Author of "The HTTP/3 Book" PHPMailer

   maintainer, Laravel dev Radically Open Security Pentests, code audits

3. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

   SUMMIT BERLIN 2026 HOW DID WE GET HERE? ▸HTTP/0.9: 1991 No RFC ▸HTTP/1.0: 1996 RFC1945 ▸HTTP/1.1: 1997 RFC2068, 2616 ▸HTTP/2: 2015 RFC7540 ▸HTTP/3: 2022 RFC9114

4. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

   SUMMIT BERLIN 2026 WHAT DID HTTP/2 CHANGE? ▸ Binary protocol ▸ More compact, header compression ▸ Immune to desync / request smuggling: http1mustdie.com ▸ Multiplexing ▸ Multiple resources in a single connection, with prioritisation ▸ Server push ▸ TLS only

5. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

   SUMMIT BERLIN 2026 WHAT PROBLEMS DOES HTTP/2 HAVE? ▸ Head of line blocking ▸ Network switching ▸ Connection re-establishment latency ▸ TCP congestion control, etc, can't be changed

6. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

   SUMMIT BERLIN 2026 WHAT ARE QUIC AND HTTP/3? ▸ We can’t change TCP without updating every device in the world ▸ Google designed QUIC as a workaround ▸ A reimagining of TCP implemented over UDP ▸ Combines TLS and TCP into a single protocol with reduced overhead ▸ HTTP/3 is mostly the same as HTTP/2, but built on QUIC ▸ Implemented in userland instead of OS ▸You’re using it already

7. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

   SUMMIT BERLIN 2026 TCP VS UDP ▸ Transmission Control Protocol – TCP – slow, complex, reliable ▸ User Datagram Protocol – UDP – fast, simple, unreliable ▸ Connectionless, packets in any order, no delivery guarantee ▸ Lossy, good for video, audio, DNS ▸ Reimplementing TCP features for UDP costs performance ▸ But still better than TCP, and easier to change

8. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

   SUMMIT BERLIN 2026 NETWORK LAYERS HTTP IPv4 & IPv6 HTTP/1.1 TLS TCP HTTP/2 TLS 1.2 TCP HTTP/3 TLS 1.3 UDP QUIC

9. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

   SUMMIT BERLIN 2026 INITIAL CONNECTION Client TCP TLS 1.2 HTTP/2 Server Client TCP TLS 1.3 HTTP/2 Server Client QUIC TLS 1.3 HTTP/3 Server

10. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 RESUMED CONNECTION – 0-RTT Client TCP TLS 1.3 HTTP/2 Server Client QUIC TLS 1.3 HTTP/3 Server ‣ Potential for replay attacks ‣ Disabled by default ‣ Early-Data:1 header set by intermediaries ▸ HTTP 425 Too Early ‣ Only in Firefox

11. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 HEAD-OF-LINE BLOCKING – HTTP/2 Image credit: http.dev

12. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 HEAD-OF-LINE BLOCKING SOLVED – HTTP/3 Image credit: http.dev client server HTTP/3 HTTP/3 Requests 1 2 3 4 5 7 8 6 QUIC streams

13. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 TCP CONNECTIONS VS QUIC STREAMS Image credit: http.dev ▸ HTTP/2 can block because multiple requests share a single TCP connection that can't tell them apart ▸ In HTTP/3, each request has its own HTTP stream ▸ Each HTTP stream has its own QUIC stream ▸ This correspondence solves HOLB

14. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 MAPPING HTTP/3 STREAMS TO QUIC STREAMS Stream index.html Stream 0 HEADERS HTTP/3 QUIC STREAM Stream styles.css Stream 4 HEADERS STREAM DATA STREAM HEADERS DATA STREAM STREAM

15. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 NETWORK SWITCHING ▸ Switching networks requires re-establishing TCP connections ▸ IP & port as identi fi er ▸ Breaks session resumption each time ▸ QUIC uses a connection ID that moves between networks ▸ More likely for session resumption to happen ▸ Privacy? Cycles through a list of random IDs

16. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 HTTP/3 HEADER COMPRESSION ▸ HTTP/2 uses HPACK ▸ Table changes embedded in compressed data ▸ Can suffer from HOLB ▸ HTTP/3 uses QPACK RFC9204 ▸ Avoids HOLB by using separate encoder streams ▸ Both use static & dynamic tables & Huffman encoding

17. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 HTTP/3 IMPLEMENTATIONS ▸ Client, servers, libraries ▸ Clients: Chrome, Edge, Firefox, Safari (iOS 15) ▸ Servers: Litespeed, Caddy, Nginx, HAProxy ▸ Not Apache! ▸ Libraries: h2o, nghttp3, libcurl, openssl 3.2.0 ▸ Cloud services: CloudFlare ▸ All in userland, so not so subject to OS stagnation

18. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 HOW TO DEPLOY HTTP/3? ▸ How does a client know a server supports HTTP/3? ▸ Server can tell clients what protocols it can use ▸ Alt-Svc header ▸ DNS SVCB (HTTPS) records

19. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 ALT-SVC HTTP HEADER ▸ RFC7838 ▸ “Alternative service” ▸ Similar approach to HSTS for HTTPS ▸ Alt-Svc: h3=":443"; ma=31536000 ; persist=1, h2="alt.example.com:443"; ma=31536000

20. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 SVCB DNS RECORDS ▸ “Service binding” SVCB records, RFC9460, HTTPS record subtype ▸ Saves an HTTP request, at the cost of a DNS lookup ▸ example.com 3600 IN HTTPS 1 . alpn="h3,h2" ▸ example.com 3600 IN HTTPS 1 . alpn="h3,h2" ipv4hint="192.0.2.1" ipv6hint="2001:db8 :: 1" ▸ example.com 3600 IN HTTPS 1 example.net alpn="h3,h2" ▸ example.com 3600 IN HTTPS 2 example.org alpn="h2"

21. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 NGINX CONFIG EXAMPLE server { listen 443 ssl; listen [ :: ]:443 ssl; listen 443 quic; listen [ :: ]:443 quic; http2 on; http3 on; add_header Alt-Svc 'h3=":443"; ma=31536000 ; persist=1, h2=":443"; ma=31536000'; .. .

22. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 FIREWALL CONFIG UFW: ufw allow from any to any port 443 ufw allow proto udp from any to any port 443 iptables: iptables -I INPUT -p udp - - dport 443 -j ACCEPT

23. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 SECURITY UPGRADE ▸ QUIC requires TLS 1.3 ▸ Lower overhead ▸ No weak cipher suites, KX, or hashes ▸ Forward secrecy ▸ Downgrade detection ▸ More is encrypted

24. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 WEBSOCKETS ▸ Yes, HTTP/3 supports WebSockets: RFC 9220 ▸ But there's a new approach coming: WebTransport ▸ Multiple streams ▸ Unidirectional streams ▸ Out-of-order delivery ▸ Reliable and unreliable transport

25. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 OPTIMISING FOR HTTP/3 ▸ The same as HTTP/2 ▸ Use few domains ▸ Don’t worry about bundling ▸ Request count doesn’t really matter ▸ Use defer / preload / async & lazy loading

26. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 EARLY HINTS [ .. . wait . .. ] HTTP/1.1 200 OK Date: Fri, 26 May 2017 10 : 02 : 11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Link: </ style.css>; rel=preload; as=style Link: </ script.js>; rel=preload; as=script HTTP/1.1 103 Early Hints Link: </ style.css>; rel=preload; as=style Link: </ script.js>; rel=preload; as=script [ .. . wait . .. ] HTTP/1.1 200 OK Date: Fri, 26 May 2017 10 : 02 : 11 GMT Content-Length: 1234 Content-Type: text/html; charset=utf-8 Link: </ style.css>; rel=preload; as=style Link: </ script.js>; rel=preload; as=script Regular response Early hints response

27. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 TESTING HTTP/3 – DEMO ▸ https://http3.devalps.eu ▸ https://http3check.net/ ▸ "HTTP Indicator” Chrome extension ▸ Dev tools will show “h3” as the protocol; right-click table header to enable ▸ Remember browser will connect via HTTP/2 fi rst

28. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 IS IT ACTUALLY FASTER? ▸ It depends 🙄 ▸ It's dif fi cult to measure ▸ Works best where its features make a difference: ▸ Low-bandwidth ▸ High congestion ▸ High latency ▸ Network switching

29. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 HTTP/3 PROBLEMS ▸ Networks might block UDP ▸ Version discovery latency ▸ It’s new, so will have more bugs ▸ More is encrypted, makes it harder to diagnose network issues

30. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 THE FUTURE OF QUIC ▸ QUIC deliberately dynamic spec ▸ Version 2 (RFC9369) mostly unchanged — actually version 0x6b3343cf! ▸ Mainly to exercise ability to update, prevent "ossi fi cation", like MIME ▸ Pluggable congestion control ▸ Other protocols over QUIC: DNS, SSH, WebTransport ▸ SMB in Windows 11 24H2 uses QUIC

31. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 FURTHER READING ▸ My book: https://leanpub.com/ thehttp3book/ ▸ https://http1mustdie.com/ ▸ https://www.debugbear.com/blog/ http3-quic-protocol-guide ▸ https://http.dev/3 ▸ Robin Marx at SmashingConf: https://vimeo.com/725331731

32. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 SUMMARY ▸ Deploy services that support HTTP/3 & QUIC ▸ Open fi rewall and security groups for UDP/443 ▸ Advertise HTTP/3 through DNS or HTTP headers ▸ Test, log, and monitor ▸ Pro fi t
33. None

34. QUESTIONS? MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT

    SECURITY SUMMIT BERLIN 2026

35. MARCUS BOINTON — @[email protected] — QUIC AND HTTP/3 IT SECURITY

    SUMMIT BERLIN 2026 THANK YOU ▸ @[email protected] ▸ @[email protected] ▸ GitHub: Synchro ▸ Sponsor me! ▸ https://marcus.bointon.com ▸ Buy my music!