With becoming the default in soon, everyone's talking about the efficiency improvements, however to me the privacy tradeoffs aren't worth the gains i.e. (Wikipedia):

"QUIC includes a connection identifier which uniquely identifies the connection to the server regardless of source. This allows the connection to be re-established simply by sending a packet, which always contains this ID, as the original connection ID will still be valid even if the user's IP address changes."

@MatejLach this is the equivalent of a source/destination ip/port 4-tuple when using http/2 (http with connection multiplexing). Assuming browsers treat that in the same way (don't share connection between normal and "private browsing" tabs for instance), it should change pretty much nothing to the current tradeoff. It is not supposed to be a persistent id resisting a browser restart, or any sort of super-cookie


@a000d4f7a91939d0e71df1646d7a48 What about VPNs? With HTTP/2 did the connection not get dropped when the IP and interface changed?

@MatejLach with HTTP/2, your connection would get dropped when going on or off of the VPN, with HTTP/3 it won't, with this id. Note however that with HTTP/2 (as for 1 and 1.1), this connection loss will make the browser reissue the same requests, including cookies (and possibly other identifying headers), so both sessions can be linked fairly easily by remote server. If using a VPN to hide your ip from a server, you should not go on and off your VPN, as it defeat the whole purpose.

@MatejLach I would recommend having a separate browser for VPN and non-VPN access to internet if you really want to do both

Sign in to participate in the conversation
Matej Lach's mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!