Date of Award

Spring 6-5-2026

Document Type

Thesis (Undergraduate)

Department

Computer Science

First Advisor

Sergey Bratus

Abstract

HTTP/3 introduces QPACK, a header compression scheme that maintains exactly one encoder state per connection, a design that implicitly assumes each backend connection carries traffic from a single client. In proxy deployments where a single backend QUIC connection is reused across multiple clients, this assumption breaks down because multiple clients may have their headers indexed in the same table. Our research demonstrates through experimentation that an attacker who is also a client of such a proxy can exploit this shared state through a request round-trip timing side-channel to infer properties of other clients’ traffic without any privileged access. The results show that backend connection reuse in HTTP/3 proxy deployments, while not prohibited by any current specification, carries meaningful and previously undocumented privacy implications for clients using such proxies.

Available for download on Saturday, June 05, 2027

Share

COinS