Hacker News new | ask | show | jobs
by filleokus 616 days ago
If I were to guess, it's to allow Google freedom in experimenting with changes to QUIC, since they control both the client and large server endpoints (Google Search, Youtube etc).

They can easily release a sightly tweaked QUIC version in Chrome and support it on e.g Youtube, and then use metrics from that to inform proposed changes to the "real" standard (or just continue to run the special version for their own stuff).

If they were to allow custom certificates, enterprises using something like ZScaler's ZIA to MITM employee network traffic, would risk to break when they tweak the protocol. If the data stream is completely encrypted and opaque to middleboxes, Google can more or less do whatever they want.

Kinda related: https://en.wikipedia.org/wiki/Protocol_ossification
1 comments
dstroot 616 days ago
Companies that use something like Zscaler would be highly likely to block QUIC traffic to force it onto TCP.
link
josephg 616 days ago
That’s exactly what Google is hoping will happen. If QUIC is blocked entirely, there’s no risk that small tweaks to the quic protocol will break Google’s websites for any companies using these tools.
link
tecleandor 616 days ago
Well, my company is doing it already. They split VPN traffic depending on the target domain (mostly for benign reasons), and that can't do it with QUIC, so they have to block QUIC traffic.
link
account42 613 days ago
What benign reason could there possibly be that isn't better based on IP addresses rather than domains.
link
tecleandor 610 days ago
When this kind of VPN clients do split traffic based on domains, they do it with some tricks, either via DNS or capturing traffic on the browser, or similar things.

But for doing split VPN with IP addresses they need to create an IP route in the VPN client. If you just have a couple IPs, it's fine, but if you have a couple hundred targets, you're gonna break some guys Windows or Mac machine sending that huge routing table.

Also, there are targets that change IP addresses. For example, AWS Elastic Load Balancers change IP addresses sometimes (if nothing have changed in the last years, haven't deployed ELBs in a while...).

link