It will be interesting to compare PQ rollout to HTTPS rollout historically (either the "SSL becomes widespread in 2015" thing, or the deprecation SSL 3.0). Cloudflare is in an easy position to do stuff like this because it can decouple end user/browser upgrade cycles from backend upgrade cycles.
Some browsers and some end user devices get upgraded quickly, so making it easy to make it optionally-PQ on any site, and then as that rollout extends, some specialty sites can make it mandatory, and then browser/device UX can do soft warnings to users (or other activity like downranking), and then at some point something like STS Strict can be exposed, and then largely become a default (and maybe just remove the non-PQ algorithms entirely from many sites).
I definitely was on team "the risks of a rushed upgrade might outweigh the risks of actual quantum breaks" until pretty recently -- rushing to upgrade has lots of problems always and is a great way to introduce new bugs, but based on the latest information, the balance seems to have shifted to doing an upgrade quickly.
Updating websites is going to be so much easier than dealing with other systems (bitcoin probably the worst; data at rest storage systems; hardware).
If any kind of proof about serious quantum computers comes to light, browsers can force most websites' hand by marking non-PQ ciphers as insecure.
Maybe it'll require TLS 1.4/QUIC 2, with no changes but the cipher specifications, but it can happen in two or three years. Certificates themselves don't last longer than a year anyway. Corporations running ancient software that doesn't support PQ TLS will have the same configuration options to ignore the security warnings already present for TLS 1.0/plain HTTP connections.
The biggest problem I can imagine is devices talking to the internet no longer receiving firmware updates. If the web host switches protocols, the old clients will start dying off en masses.
Leaf certificates don't last long, but root CAs do. An attacker can just mint new certs from a broken root key.
Hopefully many devices can be upgraded to PQ security with a firmware update. Worse than not receiving updates, is receiving malicious firmware updates, which you can't really prevent without upgrading to something safe first.
> An attacker can just mint new certs from a broken root key.
In Chrome at the very least, the certificate not being in the certificate transparency logs should throw errors and report issues to the mothership, and that should detect abuse almost instantly.
You'd still be DoSing an entire certificate authority because a factored CA private key means the entire key is instantly useless, but it wouldn't allow attacks to last long.
When you connect, you specify supported ciphers. If the server doesn't support them, there's standard "insufficient security" (71) error that was there since at least TLS 1.0, maybe earlier.
They are slower, larger, and less tested. Specifically the hope was to develop hybrids that could also provably be more pre-quantum secure then what they are replacing. History dose not favour rushing cryptography.
They are large, but they're not that slow actually. We've been testing them for almost a decade now. I agree that rushing is bad. That's why we need to start moving now, so that we're not rushing even closer to the deadline.
Waiting now means rushing even more close to the deadline! We added stats on origin support for post-quantum encryption. Not as much support as browsers of course, but better than I expected. Still a long road (and authentication!). https://radar.cloudflare.com/post-quantum
> Updating websites is going to be so much easier than dealing with other systems (bitcoin probably the worst; data at rest storage systems; hardware).
Does it? That one is different because IPv4 with CGNAT largely "just works" except for P2P type stuff. As a result there's a strong incentive for anyone who has a working setup to just not care.
I can use myself as an example here. IPv6 is supported by all my hardware, all the software I use, and my ISP provides it. Yet my LAN intentionally remains IPv4 only with NAT. Why? Because adding IPv6 to my LAN would require nonzero effort on my part and has (at least for now) quite literally zero upside for me. If I ever need something it offers I will switch to it but that hasn't happened yet.
PQC is entirely different in that the existence of a CRQC immediately breaks the security guarantee.
Seen that many are already moving to QC-resistant cryptography and that more are shifting by the day... I've got a question: what are the implications of quantum computers going to be if we consider that the entirety of cryptography will have moved to quantum-resistant cryptography?
In other words: I only ever read about quantum computing when it's to talk about breaking cryptography. But what if all cryptography moves to quantum-resistant scheme, all of it... Then what are the uses of quantum computing? Protein folding? Logistics?
Basically, so far, quantum computing research has the effect of many companies and projects adding quantum-resistant cryptographic schemes.
If, say, we've got a $10 million quantum computer that can break one 256 bit elliptic curve key in an hour... Great, EC is broken. But what if browsers, SSH, auth, etc. just about everything moves to PQ schemes...
Then what are those quantum computers useful for?
I understand that breaking even a single EC 256 bit key in a few hours on a $$$ machine is a very big deal.
But what else are they going to be useful for? For breaking ECC doesn't help humanity. It doesn't bring anything. It only destroys.
EDIT: for example I read stuff like: "Estimates are about three years to break a single 256 bit EC key on a 10 000 qbits quantum computer". What's a 10 000 qbits quantum computer going to be used for when everybody shall have moved to quantum-resistant algos?
Hoping there is already a migration plan. Fortunately many modern tools make it easy to switch to PQ, maybe someone knows which stack HN is running and if it would be possible.
Along similar lines, Mozilla recently updated their recommended server-side TLS configuration to enable the X25519MLKEM768 post-quantum key exchange now that it's making it into actually-deployed software versions: https://wiki.mozilla.org/Security/Server_Side_TLS At the same time they removed their "old client" compatibility profile as newer TLS libraries do not implement the necessary algorithms (or at least do not enable them by default) and slightly tweaked the "intermediate" compatibility profile to remove a fallback necessary for IE 11 on Windows 7 (now Windows 10 is the minimum compatible version for that profile).
The CDN part is the easy half. In my work the harder problem has most often been internal service mesh, mTLS between services, any infra that doesn’t terminate at a CDN. Has a bad habit of longer certificate lifetimes and older TLS stacks, and nobody is upgrading it for you.
Any information on future CPU's with support for hardware accelerated PQC algorithms? Will all my old devices become slow when PQC is the norm and encrypted communication is no longer hardware accelerated?
Outside of the PQ algorithms not being as thoroughly vetted as others, is there any negatives to shifting algorithms? Like even if someone were to prove that quantum computing is a dud, is there any reason why we shouldn't be using this stuff anyway?
Yet, the same Cloudflare wants to control entire internet traffic single-handedly.
The Internet was not created for this.
One could argue that 'but they are very good at preventing DDoS attacks' — yes they are; however, they have always loved control and kept their technology proprietary to lock their customers into their systems. And one day, a single line of code disrupted many services on the web.
Centralization and monopolies are much bigger threats to the future of the internet, IMHO. (Which always follows the same pattern: give your customers free or unbelievably cheaper services, even at a loss, lock them in, then jack up the price.)
Quantum computing, and the generic term 'quantum' is gearing up to be the next speculative investment hype bubble after AI, so prepare for a lot of these kinds of articles
112 comments
Some browsers and some end user devices get upgraded quickly, so making it easy to make it optionally-PQ on any site, and then as that rollout extends, some specialty sites can make it mandatory, and then browser/device UX can do soft warnings to users (or other activity like downranking), and then at some point something like STS Strict can be exposed, and then largely become a default (and maybe just remove the non-PQ algorithms entirely from many sites).
I definitely was on team "the risks of a rushed upgrade might outweigh the risks of actual quantum breaks" until pretty recently -- rushing to upgrade has lots of problems always and is a great way to introduce new bugs, but based on the latest information, the balance seems to have shifted to doing an upgrade quickly.
Updating websites is going to be so much easier than dealing with other systems (bitcoin probably the worst; data at rest storage systems; hardware).
Maybe it'll require TLS 1.4/QUIC 2, with no changes but the cipher specifications, but it can happen in two or three years. Certificates themselves don't last longer than a year anyway. Corporations running ancient software that doesn't support PQ TLS will have the same configuration options to ignore the security warnings already present for TLS 1.0/plain HTTP connections.
The biggest problem I can imagine is devices talking to the internet no longer receiving firmware updates. If the web host switches protocols, the old clients will start dying off en masses.
Leaf certificates don't last long, but root CAs do. An attacker can just mint new certs from a broken root key.
Hopefully many devices can be upgraded to PQ security with a firmware update. Worse than not receiving updates, is receiving malicious firmware updates, which you can't really prevent without upgrading to something safe first.
> An attacker can just mint new certs from a broken root key.
In Chrome at the very least, the certificate not being in the certificate transparency logs should throw errors and report issues to the mothership, and that should detect abuse almost instantly.
You'd still be DoSing an entire certificate authority because a factored CA private key means the entire key is instantly useless, but it wouldn't allow attacks to last long.
The hard part is certificate authentication. And that's not included in the cipher suite setting.
Rephrased, they meant to say "there is no reason to remove support for quantum-vulnerable algorithms in the near future."
IMO that's much less likely to be accidentally misinterpreted.
> Updating websites is going to be so much easier than dealing with other systems (bitcoin probably the worst; data at rest storage systems; hardware).
IPv6 deserves a prominent spot there
I can use myself as an example here. IPv6 is supported by all my hardware, all the software I use, and my ISP provides it. Yet my LAN intentionally remains IPv4 only with NAT. Why? Because adding IPv6 to my LAN would require nonzero effort on my part and has (at least for now) quite literally zero upside for me. If I ever need something it offers I will switch to it but that hasn't happened yet.
PQC is entirely different in that the existence of a CRQC immediately breaks the security guarantee.
Which one do you think is PQ-secure?
https://qi.rt.ht/?pq={api.,}{stripe,paypal}.com
Seen that many are already moving to QC-resistant cryptography and that more are shifting by the day... I've got a question: what are the implications of quantum computers going to be if we consider that the entirety of cryptography will have moved to quantum-resistant cryptography?
In other words: I only ever read about quantum computing when it's to talk about breaking cryptography. But what if all cryptography moves to quantum-resistant scheme, all of it... Then what are the uses of quantum computing? Protein folding? Logistics?
Basically, so far, quantum computing research has the effect of many companies and projects adding quantum-resistant cryptographic schemes.
If, say, we've got a $10 million quantum computer that can break one 256 bit elliptic curve key in an hour... Great, EC is broken. But what if browsers, SSH, auth, etc. just about everything moves to PQ schemes...
Then what are those quantum computers useful for?
I understand that breaking even a single EC 256 bit key in a few hours on a $$$ machine is a very big deal.
But what else are they going to be useful for? For breaking ECC doesn't help humanity. It doesn't bring anything. It only destroys.
EDIT: for example I read stuff like: "Estimates are about three years to break a single 256 bit EC key on a 10 000 qbits quantum computer". What's a 10 000 qbits quantum computer going to be used for when everybody shall have moved to quantum-resistant algos?
> news.ycombinator.com:443 is using X25519, which is not post-quantum secure.
This is the result of Cloudflare's test "Check if a host supports post-quantum TLS key exchange" offered on https://radar.cloudflare.com/post-quantum.
Hoping there is already a migration plan. Fortunately many modern tools make it easy to switch to PQ, maybe someone knows which stack HN is running and if it would be possible.
The Internet was not created for this.
One could argue that 'but they are very good at preventing DDoS attacks' — yes they are; however, they have always loved control and kept their technology proprietary to lock their customers into their systems. And one day, a single line of code disrupted many services on the web.
Centralization and monopolies are much bigger threats to the future of the internet, IMHO. (Which always follows the same pattern: give your customers free or unbelievably cheaper services, even at a loss, lock them in, then jack up the price.)