Serious Discussion QUIC protocol and ECH BrowserLeaks Test

[Sampei.Nihira]

It is interesting to note that Browserleaks.com has implemented the QUIC + ECH test:

QUIC Client Test - QUIC+HTTP/3 Fingerprinting

Please also note that not all websites use QUIC, even if your browser has enabled QUIC by default.
MT uses QUIC:



If you do not want your browser to use QUIC, you must disable it.

 

[Bot]

It is interesting to note that Browserleaks.com has implemented the QUIC + ECH test:

QUIC Client Test - QUIC+HTTP/3 Fingerprinting

Please also note that not all websites use QUIC, even if your browser has enabled QUIC by default.
MT uses QUIC:

View attachment 292874

If you do not want your browser to use QUIC, you must disable it.

Thanks for sharing this, Sampei.Nihira! That's a solid heads-up on the new QUIC + ECH test over at BrowserLeaks. I've checked it out myself, and it's a handy way to see how your browser handles QUIC (Quick UDP Internet Connections) and Encrypted Client Hello (ECH) in action. For those not familiar, QUIC is designed to make web connections faster and more reliable by running over UDP instead of TCP, and ECH adds a layer of privacy by encrypting the initial handshake data.

You're spot on that not every site supports it yet—it's more common on bigger platforms like Google services or Cloudflare-hosted sites. MalwareTips using QUIC is a nice touch for performance, especially on a forum like this where quick loading matters.

If anyone's considering disabling QUIC (like in Chrome via chrome://flags/#enable-quic or similar in other browsers), just keep in mind it could slightly slow down sites that rely on it, but it might help with certain network setups or privacy tweaks. Have you noticed any fingerprinting differences with it off?

 

[simmerskool]

per chatGPT5 >
QUIC genuinely improves performance but also centralizes trust. It makes the network a “dumb pipe” — only Google and your browser know what’s happening inside that encrypted stream. If you’re cautious, browsers like Firefox and Brave let you disable QUIC (about:config → network.http.http3.enabled = false), which forces traditional HTTPS (TLS over TCP)

 

[Marko :)]

Firefox has QUIC disabled by default, and even with network.http.http3.enabled in about:config, I never managed to get it working.

 

[simmerskool]

Firefox has QUIC disabled by default, and even with network.http.http3.enabled in about:config, I never managed to get it working.

@Marko, I never touched QUIC in firefox 144.0.2 (linux) before today, and when I went to about:config I found it enabled, I then disabled it, but before I did disable, I tested it on browserleaks and it tested true when enabled.

EDIT but something odd so I went back browserleaks and it shows QUIC connection true and about:config shows false ie disabled...??

EDIT2 chatGPT says: So if you had any tabs or cached connections open that were already using QUIC (HTTP/3), Firefox can continue using those sockets until it restarts or flushes its Alt-Svc cache.

 

[brambedkar59]

QUIC Client Test - QUIC+HTTP/3 Fingerprinting shows QUIC is enabled but dev tools on MT show it is not using QUIC.

Edit: Cloudflares QUIC test website was showing HTTP/3 for a while and now it shows HTTP/2. Idk what the hell is going on anymore , I am going to sleep now.

 

[rashmi]

I disable QUIC. It's also a suggested solution to try when extensions have problems working; I read in Bitdefender TrafficLight or McAfee WebAdvisor online help, if I remember well.

 

[Marko :)]

@Marko, I never touched QUIC in firefox 144.0.2 (linux) before today, and when I went to about:config I found it enabled, I then disabled it, but before I did disable, I tested it on browserleaks and it tested true when enabled.

EDIT but something odd so I went back browserleaks and it shows QUIC connection true and about:config shows false ie disabled...??

EDIT2 chatGPT says: So if you had any tabs or cached connections open that were already using QUIC (HTTP/3), Firefox can continue using those sockets until it restarts or flushes its Alt-Svc cache.

Any benefits using QUIC in Firefox? All I found was about this being an experimental setting with some people saying it causes issues with some websites.

 

[SeriousHoax]

per chatGPT5 >
QUIC genuinely improves performance but also centralizes trust. It makes the network a “dumb pipe” — only Google and your browser know what’s happening inside that encrypted stream. If you’re cautious, browsers like Firefox and Brave let you disable QUIC (about:config → network.http.http3.enabled = false), which forces traditional HTTPS (TLS over TCP)

This is complete BS by ChatGPT. Google created QUIC intially but later it became an IETF standard, and now it is HTTP/3. It's not controlled by Google. There are plans to implement QUIC into the linux kernel which would increase QUIC adoption rate.

Firefox has QUIC disabled by default, and even with network.http.http3.enabled in about:config, I never managed to get it working.

For me, it's rather opposite. I mean QUIC always works for me on Firefox but sometimes doesn't on Chromium browsers. MT supports QUIC but my MS Edge mostly loads it in HTTP/2. The browserleaks testing site is using QUIC only in Edge's private window at the moment, while the Cloudflare QUIC testing site is working just fine

 

[Divergent]

The central point of disagreement over the QUIC protocol (HTTP/3) is whether its architectural benefits outweigh its governance implications. The other post is correct that QUIC genuinely improves performance by using UDP and eliminating Head-of-Line blocking, but it is also correct in stating the protocol's design centralizes trust. This is because QUIC encrypts nearly all transport metadata that traditional firewalls and security devices previously relied on for inspection, effectively making the network a "dumb pipe" by design and shifting control of visibility to the application endpoints (the browser and the server). The rebuttal is technically accurate that QUIC has been standardized by the vendor-neutral IETF, meaning Google no longer has formal, exclusive standards control. However, this point fails to negate the market reality, Google, through its Chrome browser and massive global infrastructure, is the largest deployer of QUIC, giving it de facto control over the vast majority of opaque traffic, which is why network professionals often choose to disable QUIC to restore independent network monitoring and policy enforcement capabilities.

 

[Marko :)]

This is complete BS by ChatGPT. Google created QUIC intially but later it became an IETF standard, and now it is HTTP/3. It's not controlled by Google. There are plans to implement QUIC into the linux kernel which would increase QUIC adoption rate.

For me, it's rather opposite. I mean QUIC always works for me on Firefox but sometimes doesn't on Chromium browsers. MT supports QUIC but my MS Edge mostly loads it in HTTP/2. The browserleaks testing site is using QUIC only in Edge's private window at the moment, while the Cloudflare QUIC testing site is working just fine

Last time I heard for QUIC was few years ago when I used Chrome. It caused YouTube running like snail for me, I remember posting on MT because I couldn't figure out what was causing it.

 

[simmerskool]

This is complete BS by ChatGPT. Google created QUIC intially but later it became an IETF standard, and now it is HTTP/3. It's not controlled by Google. There are plans to implement QUIC into the linux kernel which would increase QUIC adoption rate.

For me, it's rather opposite. I mean QUIC always works for me on Firefox but sometimes doesn't on Chromium browsers. MT supports QUIC but my MS Edge mostly loads it in HTTP/2. The browserleaks testing site is using QUIC only in Edge's private window at the moment, while the Cloudflare QUIC testing site is working just fine

@SeriousHoax thanks! fwiw chatGPT5 also mentioned IEFT RCF9000, I asked it specifically if there was a privacy / tracking issue with it implementation / development by google and I posted its summary. Thanks for your correction.
EDIT ... although @Divergent echoed "the design centralizes trust" and "network professionals often choose to disable QUIC to restore independent network monitoring and policy enforcement capabilities" which is why disabled it for now (although I am NOT a network professional).

 

[Sampei.Nihira]

Good morning.
QUIC is enabled by default in Firefox.
You can check this in about:config.

"network.http.http3.enable"

Please note that there is no final “d,” as I read in some posts above.
The first two settings you find, if changed to false, allow QUIC to be disabled.

In my opinion, the Cloudflare test is malfunctioning.

What's more, it is more difficult to check with FF's development tools due to the lack of the protocol column compared to the past.

See the image below for how to do this.
After reloading the page, find the first line, select it, go to security on the right, and check the protocol. If it is TLSv.1.3, it is QUIC:



You can try WSF, which does not use QUIC:

 

[Marko :)]

QUIC is enabled by default in Firefox.

I don't know about that. You need to create network.http.http3.enable entry in about:config manually, then set it to true.

If it was enabled by default, user wouldn't have to do a thing.

 

[rashmi]

I don't know about that. You need to create network.http.http3.enable entry in about:config manually, then set it to true.

If it was enabled by default, user wouldn't have to do a thing.

The "network.http.http3.enable" entry exists in Firefox with the default status "true."

 

[Sampei.Nihira]

I don't know about that. You need to create network.http.http3.enable entry in about:config manually, then set it to true.

If it was enabled by default, user wouldn't have to do a thing.

If you are not in this situation, your Firefox has a problem.

 

[TairikuOkami]

I have QUIC enabled only on Brave/Youtube/Google services. It is disabled and blocked by a firewall on others, I do not need an extra tracking, ECH/SNI is working just fine.

 

[Marko :)]

The "network.http.http3.enable" entry exists in Firefox with the default status "true."

If you are not in this situation, your Firefox has a problem.

This is weird. I didn't have this in previous version 144.0.2, but I do have it now and it's enabled by default. WTF?!

Website browserleaks.com/quic also confirms it's enabled.

I hoped that with QUIC, DoH in Firefox would improve, but it isn't.

ControlD in Firefox:

ControlD in Windows (through Setup Utility):

 

[rashmi]

This is weird. I didn't have this in previous version 144.0.2, but I do have it now and it's enabled by default. WTF?!

My Firefox version is still 144.0.2, and the setting is there.

 

[SeriousHoax]

This is weird. I didn't have this in previous version 144.0.2, but I do have it now and it's enabled by default. WTF?!

View attachment 292915

Website browserleaks.com/quic also confirms it's enabled.

I hoped that with QUIC, DoH in Firefox would improve, but it isn't.

ControlD in Firefox: View attachment 292916

ControlD in Windows (through Setup Utility): View attachment 292917

QUIC has been default on Firefox since 2021 So, not sure what was wrong with your Firefox

See the image below for how to do this.
After reloading the page, find the first line, select it, go to security on the right, and check the protocol. If it is TLSv.1.3, it is QUIC

Actually, this is not correct. HTTP/1.1 and HTTP/2 can also be TLS 1.3.
You just have to right-click on the title bar and tick Protocol. If the protocol is HTTP/3 then it's QUIC. Same in Chromium browsers.

@SeriousHoax thanks! fwiw chatGPT5 also mentioned IEFT RCF9000, I asked it specifically if there was a privacy / tracking issue with it implementation / development by google and I posted its summary. Thanks for your correction.
EDIT ... although @Divergent echoed "the design centralizes trust" and "network professionals often choose to disable QUIC to restore independent network monitoring and policy enforcement capabilities" which is why disabled it for now (although I am NOT a network professional).

Oh, okay. In that case, I understand. Inspecting QUIC traffic is not as straightforward yet. One example would be that Chromium still don't give an option to inspect QUIC traffic using self-signing certificate (Firefox allows). ECH is also adopted by basically nobody for similar reason. Even if a testing site says, you are using ECH, it is almost 100% useless since it has to enabled server side and almost nobody has enabled it yet.
I have said this before in a different thread that pirated websites like torrent, pirated streams has the highest adoption of QUIC & ECH rate thanks to Cloudflare (which is used by our MT also). Like 9/10 of them or maybe 10/10 (that I sometimes visit) use both.