Cover image for DD11

What Is QUIC?

Table of Contents

Where QUIC Came From

QUIC started as a Google experiment in 2012. Engineers at Google were frustrated with TCP's limitations - specifically the multiple round trips required to establish a secure connection and the head-of-line blocking problem that plagued HTTP/2. They built a new transport protocol on top of UDP, tested it in Chrome, and gradually refined it based on real-world performance data.

By 2021, the IETF published RFC 9000, standardizing QUIC as an official internet protocol. The standardized version differs from Google's original in several ways, but the core idea remains: build a modern transport protocol that integrates encryption from the start and eliminates the performance penalties that TCP accumulated over four decades.

QUIC is not a minor tweak. It is a complete replacement for the TCP + TLS stack that has powered the web since the 1990s.

Why Not Just Fix TCP?

TCP was designed in the 1970s when reliability mattered more than speed. Every TCP connection starts with a three-way handshake (SYN, SYN-ACK, ACK). Adding TLS on top requires another round trip (or two, depending on the TLS version). That means a minimum of two to three round trips before any application data flows.

On a connection with 100ms latency, those round trips add 200-300ms of delay before the first byte of actual content arrives. On mobile networks with higher latency, this gets worse.

TCP also lives inside operating system kernels. Changing TCP behavior requires OS updates, which means waiting for vendors to implement, test, and ship changes. Middleboxes (firewalls, NATs, load balancers) inspect TCP headers and often break connections that use unfamiliar TCP options. This ossification makes TCP nearly impossible to evolve.

graph TD
    subgraph "TCP + TLS 1.3 Connection - 2 Round Trips"
        C1[Client] -->|SYN| S1[Server]
        S1 -->|SYN-ACK| C1
        C1 -->|ACK + TLS ClientHello| S1
        S1 -->|TLS ServerHello + Finished| C1
        C1 -->|Application Data| S1
    end
    subgraph "QUIC Connection - 1 Round Trip"
        C2[Client] -->|QUIC Initial + TLS ClientHello| S2[Server]
        S2 -->|QUIC Handshake + TLS ServerHello| C2
        C2 -->|Application Data| S2
    end

TCP plus TLS requires two round trips minimum - QUIC combines transport and encryption into one

QUIC sidesteps all of these problems by running over UDP. UDP is a minimal protocol - it provides port numbers and a checksum, nothing else. All the reliability, flow control, and congestion control logic lives in QUIC itself, implemented in userspace rather than the kernel. This means QUIC can be updated through application updates (like browser releases) without waiting for OS patches.

The QUIC Handshake

QUIC integrates TLS 1.3 directly into its handshake. There is no separate transport handshake followed by a security handshake - they happen simultaneously in a single round trip.

The client sends a QUIC Initial packet containing the TLS ClientHello. The server responds with its own Initial packet containing the TLS ServerHello and encrypted extensions. After this single round trip, both sides have negotiated encryption keys and can begin sending encrypted application data.

This is fundamentally different from TCP, where the transport connection must be established first, and only then can TLS negotiate encryption. QUIC saves an entire round trip on every new connection.

0-RTT Resumption

When a client has previously connected to a server, QUIC supports 0-RTT resumption. The client caches the server's transport parameters and TLS session ticket from the previous connection. On reconnect, the client can send application data in the very first packet - before the server even responds.

This means repeat connections to a website can start transferring data with zero round trips of delay. The page begins loading immediately.

graph TD
    subgraph "First Connection - 1 RTT"
        A1[Client sends Initial] --> A2[Server responds with Handshake]
        A2 --> A3[Client sends data after 1 RTT]
        A3 --> A4[Server caches session ticket]
    end
    subgraph "Repeat Connection - 0 RTT"
        B1[Client sends Initial + Early Data] --> B2[Server processes early data immediately]
        B2 --> B3[Data flows with zero wait]
        B3 --> B4[Full handshake completes in parallel]
    end

0-RTT lets repeat visitors send data in the first packet - no waiting for server response

There is a security trade-off: 0-RTT data can be replayed by an attacker who captures the initial packet. For this reason, servers should only accept 0-RTT data for idempotent requests (like GET requests for web pages) and reject it for state-changing operations.

Connection Migration

TCP connections are identified by a four-tuple: source IP, source port, destination IP, destination port. If any of these change - for example, when your phone switches from WiFi to cellular - the TCP connection breaks. The application must detect the failure, establish a new TCP connection, perform a new TLS handshake, and resume whatever it was doing.

QUIC connections are identified by connection IDs, not IP addresses. When your phone switches networks, QUIC updates the IP address but keeps the same connection ID. The connection continues without interruption. No new handshake, no retransmission of data already acknowledged, no application-level reconnection logic.

This is particularly valuable for mobile users who move between WiFi and cellular networks regularly. Video calls, downloads, and streaming sessions can survive network transitions seamlessly.

Multiplexing Without Head-of-Line Blocking

HTTP/2 introduced multiplexing - sending multiple requests and responses over a single TCP connection. But TCP treats all data as a single ordered byte stream. If one packet is lost, TCP stalls delivery of all data on that connection until the lost packet is retransmitted. This is head-of-line (HOL) blocking.

Imagine downloading a CSS file, a JavaScript file, and an image over one HTTP/2 connection. If a packet belonging to the image is lost, TCP blocks delivery of the CSS and JavaScript data too, even though their packets arrived successfully. Everything waits for that one lost packet.

graph TD
    subgraph "HTTP/2 over TCP - Head-of-Line Blocking"
        T1[Stream 1 - CSS] --> T2[Stream 2 - JS]
        T2 --> T3[Stream 3 - Image]
        T3 --> T4[Packet loss on Stream 3]
        T4 -->|ALL streams blocked| T5[Wait for retransmit]
        T5 --> T6[All streams resume]
    end
    subgraph "HTTP/3 over QUIC - Independent Streams"
        Q1[Stream 1 - CSS delivers] --> Q2[No blocking]
        Q3[Stream 2 - JS delivers] --> Q2
        Q4[Stream 3 - Image waits] --> Q5[Only Stream 3 blocked]
        Q5 --> Q6[Stream 3 resumes after retransmit]
    end

TCP blocks all streams when one packet is lost - QUIC only blocks the affected stream

QUIC implements streams as a first-class concept within the protocol. Each stream is independently flow-controlled and retransmitted. A packet loss on one stream does not affect any other stream. This eliminates HOL blocking entirely.

Security Properties

QUIC mandates TLS 1.3 - there is no unencrypted mode. Every QUIC connection is encrypted from the start, including most of the transport headers. With TCP, headers like sequence numbers, acknowledgment numbers, and window sizes are visible to anyone who can observe the traffic. Network middleboxes routinely inspect and sometimes modify these headers.

QUIC encrypts nearly everything. Only the connection ID and some flags in the packet header are visible. This prevents middleboxes from interfering with the protocol and makes it harder for network observers to correlate packets to specific connections or track users across networks.

Connection IDs also provide a privacy benefit. A server can issue new connection IDs to a client, allowing the client to change its visible connection ID after a network migration. This makes it harder for on-path observers to link the old and new network paths to the same connection.

Adoption in 2026

QUIC adoption has been steady since standardization. Chrome, Firefox, Safari, and Edge all support QUIC. On the server side, Cloudflare, Google, Meta, and most major CDNs serve traffic over QUIC. Estimates suggest that roughly 30-40% of all web traffic now uses QUIC.

However, adoption is not universal. Some enterprise networks block UDP traffic on non-standard ports, which can prevent QUIC from working. In these cases, browsers fall back to TCP + TLS automatically. Some network monitoring tools and intrusion detection systems have been slow to add QUIC parsing support, creating visibility gaps for security teams.

QUIC and Network Monitoring

QUIC creates challenges for network monitoring. Traditional tools that rely on TCP header inspection cannot parse QUIC traffic. Deep packet inspection (DPI) systems that identified applications by analyzing TLS handshakes over TCP need updates to handle QUIC's combined handshake.

For security professionals, QUIC traffic appears as UDP packets on port 443. Without QUIC-aware tooling, it is difficult to distinguish QUIC web traffic from other UDP-based protocols or even from tunneled malicious traffic.

Understanding network protocols - from the physical layer up through transport protocols like QUIC - is foundational for anyone working in network security. Tools like the BLEShark Nano help you explore the wireless protocols that share the same 2.4GHz spectrum where WiFi (and by extension, the networks carrying QUIC traffic) operates.

Get the BLEShark Nano - $36.99+
Back to blog

Leave a comment