QUIC Bypass Exposes CASB Enforcement Gap: Chrome Defeats Web Block Policies Over UDP
A guest diary reveals a critical blind spot in Cloud Access Security Broker (CASB) enforcement: QUIC (HTTP/3) runs over UDP, which most CASBs cannot inspect, allowing Chrome to circumvent block policies undetected.
Security teams relying on Cloud Access Security Brokers (CASBs) to block access to unauthorized websites may be operating under a false sense of security. A guest diary submitted by Varun Murdula to the SANS Internet Storm Center details a fundamental enforcement gap: QUIC, the transport protocol behind HTTP/3, runs over User Datagram Protocol (UDP), which most CASBs cannot inspect. When Chrome establishes a QUIC connection to a server marked as blocked, the traffic bypasses the CASB entirely—and nothing appears in the logs.
The root cause lies in how proxy-based CASBs were designed. These tools inspect web traffic by intercepting TCP connections, decrypting TLS, and re-encrypting after applying policy. QUIC, standardized by the IETF and developed by Google, was built for speed and reliability over UDP, not for compatibility with legacy inspection architectures. Chrome learns which servers support QUIC via Alt-Svc headers or DNS HTTPS records (RFC 9460) and will automatically prefer QUIC when available. The CASB never sees a TCP connection for that session, so its block rule never fires.
Murdula tested five browsers on a managed endpoint with an active CASB policy and confirmed the gap consistently. The finding is not hypothetical—Palo Alto Networks explicitly recommends blocking QUIC in its internet gateway security best practices, and Forcepoint has published an advisory noting that QUIC traffic from Chrome, Edge, Brave, Firefox, and Safari may not be intercepted. Cloudflare’s gateway documentation also acknowledges that direct QUIC connections can bypass its proxy.
The impact is significant for organizations using CASBs to enforce data-loss prevention policies, particularly those blocking personal cloud storage, unauthorized file-sharing tools, or generative AI chatbots. An employee using Chrome on a managed device can reach any QUIC-enabled destination the CASB is supposed to block, and the security team will see no evidence in the logs. The tool reports that the block is in effect, but the traffic flows freely through a side channel.
MITIGATION STEPS: Security teams can close this gap by disabling QUIC in enterprise browsers via group policy. Google Chrome and Microsoft Edge both support a 'QuicAllowed' policy flag that can be set to false. Alternatively, organizations can deploy a network firewall capable of blocking UDP on port 443 or specifically dropping QUIC traffic at the perimeter. Palo Alto Networks provides specific guidance for its Next-Generation Firewalls to inspect or block QUIC. Notably, simply disabling QUIC in Chrome does not affect HTTP/2 or HTTP/1.1 performance, which remain available over TCP.
The broader lesson is that enterprise security tools designed around TCP-based inspection are increasingly outmatched by modern protocols that prioritize performance over inspectability. As HTTP/3 adoption grows—currently used by over 30% of the top 10 million websites—the scope of this blind spot will only widen. Security teams must test their own environments, verify whether QUIC bypasses their CASB, and apply the recommended mitigations before a real policy violation goes undetected.