Cloudflare has announced (opens in new tab) that all websites and APIS served through its platform will now support a post-quantum hybrid key agreement.
The service, which is now in beta, strives to protect encrypted internet traffic from computers powerful enough to break today’s encryption – quantum computers.
The new is on by default, meaning there’s no need for an opt-in: if the browser/app supports it, the connection to Cloudflare’s network will be secure from any future quantum computers trying to break the encryption and eavesdrop on the transitioning traffic such as passwords (opens in new tab).
Quantum computers on the horizon
The service is also free of charge, the company said, adding that post-quantum security “should be the new baseline for the Internet”.
We’re still a long way from a fully-functioning, commercial-oriented quantum computer that could be used for such nefarious purposes. In fact, Cloudflare doesn’t expect such a device to be around before 2037 at the earliest. But it has decided to integrate post-quantum encryption solutions to get ahead of the curve and have enough time to solve any problems and weaknesses that might come along – and the company is expecting at least some.
“Even though the protocols used to secure the Internet are designed to allow smooth transitions like this, in reality, there is a lot of buggy code out there: trying to create a post-quantum secure connection might fail for many reasons — for example, a middlebox being confused about the larger post-quantum keys and other reasons we have yet to observe because these post-quantum key agreements are brand new,” the company said.
“It’s because of these issues that we feel it is important to deploy post-quantum cryptography early, so that together with browsers and other clients we can find and work around these issues.”
Cloudflare also added that the solution will be something of a hybrid, as it eases into the transition: “To start, this is new cryptography: even with years of scrutiny, it is not inconceivable that a catastrophic attack might still be discovered. That is why we are deploying hybrids: a combination of a tried and tested key agreement together with a new one that adds post-quantum security.”
