As of October 28, 2018, HTTP/3 is the official standard of the application protocol which inevitably leads to a transition towards its universal use. Although it is not yet widespread in terms of number of applications and websites, its impact is high since widely known applications that account for a significant percentage of the number of communications circulating on the Internet such as Youtube, Whatsapp or Facebook already employ it. It is with this new version that an increase in transfer speed, reduced loading times and a more stable connection are achieved. But how is this accomplished?

HTTP/3 is based on the QUIC (Quick UDP Internet Connections) transport protocol developed by Google to meet the need for lower delays and faster communications. It gets rid of continuous communications in which sender and receiver check the success of their transmissions, simply sending the information without acknowledgements. Thus, the applications will be responsible for requesting retransmission of the missing content reducing latency by optimizing the messages sent and improving the multiplexing of parallel connections.

With QUIC at the transport layer, HTTP/3 only supports encrypted connections that must be of the TLS 1.3 version. The reason for this specific version is that it is QUIC, the transport protocol, which assumes the additional requests at the TLS level, and as we have seen in the previous paragraph, it tries to ensure that the least number of transactions happen considerably reducing traffic and communication latency.

It is in this scenario that communications auditors in enterprises and in the field of research are faced with the uncertainty of how to inspect traffic if the existing techniques and tools are no longer useful. Therefore, it is interesting to consider the path forward to continue auditing communications with the existing methodology.

Differences between HTTP/2, with encryption of different TLS versions, and HTTP/3 are based only on the exclusive use of TLS 1.3, which is already auditable, and on the application of QUIC which assumes security functions. Wireshark is known to allow not only inspecting traffic traveling over QUIC, but also decrypting it. However, this is a manual way to achieve this for auditors who expect tools that allow inspection of traffic integrated into their scenario and that allow extraction of logs to analyze the results. The door is left open for future developments, frameworks and tools that manage to intercept HTTP/3 traffic, among which the arrival of the latest version of the Mitmproxy interception proxy is expected.

This post has been authored by Antonio Javier de Lucas, who is carrying out his undergraduate thesis entitled “Desarrollo e implementación de mecanismos de auditoría de comunicaciones cifradas en Android” under the supervision of José M. del Álamo.

Towards auditing HTTP/3 communications por jmdelalamo está licenciado bajo una Licencia Creative Commons Atribución-NoComercial-SinDerivar 4.0 Internacional.