Enable QUIC protocol in Google Chrome

Mattias Geniar, Friday, July 29, 2016

Google has support for the QUIC protocol in the Chrome browser, but it's only enabled for their own websites by default. You can enable it for use on other domains too -- assuming the webserver supports it. At this time, it's a setting you need to explicitly enable.

To start, open a new tab and go to chrome://flags/. Find the Experimental QUIC protocol and change the setting to Enabled. After the change, restart Chrome.

chrome_quic_support_setting

To find out of QUIC is enabled in your Chrome in the first place, go to chrome://net-internals/#quic.

In my case, it was disabled (which is the "default" value).

chrome_quic_internals_enabled

After changing the setting to enable QUIC support and restarting Chrome, the results were much better.

chrome_quic_internals_status_enabled

On the same page, you can also get a live list of which sessions are using the QUIC protocol. If it's enabled, it'll probably only be Google services for now.

chrome_quic_internals_sessions

I'm working on a blogpost to explain the QUIC protocol and how it compares to HTTP/2, so stay tuned for more QUIC updates!



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek & public speaker. Currently working on DNS Spy & Oh Dear!. Follow me on Twitter as @mattiasgeniar.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

Hanno Friday, July 29, 2016 at 14:35 - Reply

Hi, just some clarification here why Chrome does not support QUIC for arbitrary pages:
There is a variant of the DROWN attack that affects QUIC. This is always a potential issue if there is any other host using the same key that supports SSLv2. As there is no easy way for Chrome to know if that’s the case they only enable it for a few domains where they are sure nobody is using SSLv2. Therefore what you’re proposing may enable some (albeit expensive) attacks.
The interactions here are relatively complicated, a host doesn’t even have to offer QUIC itself to be vulnerable. Read the DROWN paper for details: https://drownattack.com/

This is only an intermediate situation, my understanding is that future versions of QUIC should include protections against these kinds of attacks and then it can be enabled again for everyone.


Mattias Geniar Friday, July 29, 2016 at 17:30 - Reply

Ow, very good point Hanno – thanks for letting me know!


Šime Vidas Monday, August 1, 2016 at 05:06 - Reply

On Windows 10, QUIC seems to be enabled by default in Chrome. (At least it is for me.)


Mattias Geniar Monday, August 1, 2016 at 08:14 - Reply

If you’re testing towards Google services like google.com and YouTube, it’s indeed enabled. Those domains are on the whitelist of the Chrome browser, so it can/will use QUIC.

If you want to test it on a non-whitelisted domain, you’ll need to enable it separately.


Šime Vidas Monday, August 1, 2016 at 19:18 - Reply

I meant, with the flag set to “Default”, I see “QUIC Enabled: true” on the network internals page. I’m not sure why that is.


Didier Misson Friday, August 26, 2016 at 06:03 - Reply

Bonsoir
Je découvre QUIC. Je l’ai activé sur mon Chromium (Ubuntu 16.04. LTS).
Je ne vois aucune session QUIC (seulement du HTTP/2) sur les sites Google, Docs, Youtube, etc

J’ai loupé quelque chose ?
C’est pour info, car QUIC est encore largement expérimental…
;-)


Leave a Reply

Your email address will not be published. Required fields are marked *