Built on top of UDP, the relatively new QUIC protocol serves as the baseline for modern web protocol stacks. Equipped with a rich feature set, the protocol is defined by a 151 pages strong IETF standard complemented by several additional documents. Enabling fast updates and feature iteration, most QUIC implementations are implemented as user space libraries leading to a large and fragmented ecosystem. This work addresses the research question, "if a complex standard with a large number of different implementations leads to an insecure ecosystem?". The relevant RFC documents were studied and "Security Consideration" items describing conceptional problems were extracted. During the research, 13 popular production ready QUIC implementations were compared by evaluating 10 security considerations from RFC9000. While related studies mostly focused on the functional part of QUIC, this study confirms that available QUIC implementations are not yet mature enough from a security point of view.

翻译：基于UDP构建的相对新兴的QUIC协议，已成为现代网络协议栈的基础。该协议具备丰富的功能特性，由一份长达151页的IETF标准以及若干补充文档定义。为实现快速更新和功能迭代，多数QUIC实现采用用户空间库的形式，形成了庞大且碎片化的生态系统。本研究旨在探讨一个研究问题："一个拥有大量不同实现的复杂标准是否会导致不安全的生态系统？"我们研究了相关的RFC文档，并提取了描述概念性问题的"安全注意事项"条目。在研究过程中，通过评估RFC9000中的10项安全注意事项，对13种流行的可用于生产的QUIC实现进行了比较。尽管相关研究主要关注QUIC的功能部分，本研究证实现有QUIC实现在安全性方面尚未成熟。