TLS and QUIC: A Masochist’s Guide
I hope you’re having a great day. The sun is about to shine brighter. I was inspired by Helios himself to write about the riveting topic of TLS and QUIC.
In my opinion, the most difficult part about QUIC is setting up a different protocol. QUIC requires TLS. There’s no way to disable encryption and only some clients let you circumvent certificate validation. If you screw it up, you’ll get a scary WARNING screen and users won’t be able to connect.
Most of this guide applies to HTTPS in general, which makes sense as HTTP/3 uses QUIC. WebTransport too as it’s layered on top of HTTP/3 but there are some important distinctions at the end…
I’m not a security engineer but I have dabbled in the low-level protocols. For some unbeknownst reason, I’ve implemented both DTLS 1.2 (for WebRTC) and TLS 1.3 (for QUIC)… in Go. Both were undoubtedly insecure but somehow passed the security audit and served production traffic at Twitch. But then I left and those servers rightfully got the rm -rf treatment.
When in doubt, always refer to the nerds who take security seriously and use the correct terminology. I understand a lot of the security primitives but I don’t exactly have the LinkedIn Professional Certificates to back it up.
