QUIC: Google's New Secure UDP-Based Protocol

New submitter jshurst1 writes "Google has announced QUIC, a stream multiplexing protocol running over a new variation of TLS, as well as UDP. The new protocol offers connectivity with a reduced number of round trips, strong security, and pluggable congestion control. QUIC is in experiment now for Chrome dev and canary users connecting to Google websites."

Re:Don't trust 'em

[SolarCanine]

What exactly can be hidden in an open protocol specification that will compromise your personally sensitive data? By design, a protocol has to be something that people can actually implement to be useful - the payloads you send via that protocol are up to you (based on your choices of which pieces of software to use, etc.)

The always-present question for UDP

[i+kan+reed]

How do you stop a denial of service attack if both sides aren't required to maintain the overhead of the connection? TCP uses the overhead caused by ACK packets as a rate limiter on clients.

There are obviously high-bandwidth frameworks where you're already putting a strain on systems just by using them, where low-latency is also critical, and UDP is appropriate; video chat comes to mind, but outside of that very limited purview, what use could encrypting UDP actually do?

Re:The always-present question for UDP

How do you stop a denial of service attack if both sides aren't required to maintain the overhead of the connection

How do you stop it if someone does not bother to respect the rate limiter? You are assuming that someone doing something bad is going to play by the rules.

Not necessarily the right place

[Bruce+Perens]

I have no objection to protocol experiments that are 100% Open Source implementations. I wouldn't trust one that was not, and an Open Standard is just instructions for people who make implementations.

But it seems that a lot of this might belong in a system facility rather than the browser and server. I don't know if it makes sense to put all of TLS in the kernel, but at least it could go in its own process. Using UDP is fine for an experiment, but having 200 different ad-hoc network stacks each tied into their own application and all of them using UDP is not.

QUIC is more like TCP in these ways, exception to

[raymorris]

> Please, if you can't use SSL+TCP for text chat and keep it real time

They could have, but QUIC is "better" for their use cases. In many ways, it's like an improved version of TCP. It runs on top of UDP simply
because routers, firewalls, etc. often only speak TCP and UDP. From the FAQ:

> it is unlikely to see significant adoption of client-side TCP changes in less than 5-15 years. QUIC allows us to test and experiment with new ideas,
> and to get results sooner. We are hopeful that QUIC features will migrate into TCP and TLS if they prove effective.

> You can outright lose data. Your packets can arrive out of order. It's okay with video data where a hiccup only makes a few missing pixels,
> but with text, that's a terrible idea.

Unless of course the protocol you're running over UDP handles that stuff, just like TCP handles that stuff.
Normally, it's a bad idea to use UDP to run a protocol that has in-order packets, guaranteed delivery, etc. because TCP already gives you that.
Why re-invent TCP? Unless you're going to spend a few million dollars on R&D to make your UDP-based protocol actually be better than TCP,
you should just use TCP.

That "unless you're going to spend a few million dollars on R&D" is the key here. Google DID make the investment, so the protocol actually does
work better for the particular use than TCP does.

Re:Don't trust 'em

[hairyfeet]

Give it up friend, you can give 'em a page of citations but anything to do with Google or Apple gets a "doubleplus good" by default here, free thought isn't allowed.

I have to think these companies must laugh their asses off at board meetings, just looking at how many peasants will rush to defend them. Fuck that noise, i want somebody OTHER than a researcher on the payroll to tear this thing apart with a fine tooth comb before i trust jack shit from ANY of these major corps. I mean for fucks sake, hasn't ANYBODY been reading the headlines here for the past year? How many whistleblowers does it take before you figure out these corps like government green just as much as yours and will be happy to sell your asses out if the check is right?

For God's sake you'd think these people were stockholders by the way they rush to crush anything that doesn't read "Gee Bill, isn't (insert corp) great? Why it sure is Bob, why I heard they cured AGW and hunger in just an afternoon! How anybody could ever doubt (insert corp) is beyond me, they are so sweet and kind!"...If the future is corp ass kissing and flag waving, can i get a lift out of here please? i promise i have my towel ready.

Re:Don't trust 'em

[Stonefish]

It's "like" TLS, as in "its none dairy but it tastes just like milk".
Google's reason for doing this is to lower their costs associated with better security. This creates a 3 way instead of a 5 way exchange for the security protocol setup. Fewer connections less load on their stuff and less stuff they have to buy.

The security landscape is littered with security implementations which tried improve existing protocols. Just type in the terms WAP and security for a story on how to take a secure starting point SSL and bugger it.
Another is Microsoft's introduction of PKINIT for keberos, kerberos is a proveably security protocol which is limitied by the entropy in a users password, MS "fixed" this with PKINIT however they initroduced replay attach vectors precisely because they wanted fewer exchanges. BTW google seems to have done a better job in this regard +1 for google, -1 for MS.