Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Usage of constant value for GREASE transport parameter make quinn vulnerable to fingerprinting by quic transport parameters. #2057

Open
mstyura opened this issue Nov 20, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@mstyura
Copy link
Contributor

mstyura commented Nov 20, 2024

Currently quinn uses constant value as GREASE reserved random parameter.

// Add a reserved parameter to keep people on their toes
w.write_var(31 * 5 + 27);
w.write_var(0);

This make quinn client side users vulnerable to fingerprinting by predictable patterns during handshake. Thanks to ability to inject custom TLS backend like quinn-boring most of TLS handshake is configurable, except the content of quic transport parameters extension.

As a prevention actions I see the following steps:

  1. Generate random transport parameter, like it is done quic-go or quiche]: #2057: Use randomly generated GREASE transport parameter. #2058
  2. Make it optional: #2057: Option to disable sending GREASE random transport parameter. #2061
  3. Implement permutation of transport parameters, like it is done in quiche: #2057: Shuffle outgoing transport parameters. #2066
@Ralith Ralith added the enhancement New feature or request label Nov 20, 2024
@Ralith
Copy link
Collaborator

Ralith commented Nov 20, 2024

All three of those sound like nice improvements to me!

mstyura added a commit to mstyura/quinn that referenced this issue Nov 24, 2024
mstyura added a commit to mstyura/quinn that referenced this issue Nov 24, 2024
mstyura added a commit to mstyura/quinn that referenced this issue Nov 24, 2024
mstyura added a commit to mstyura/quinn that referenced this issue Nov 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants