Cloudflare has recently implemented post-quantum cryptography (PQC) protections in its Zero Trust platform, aiming to bolster online communications security against potential quantum computing threats. This strategic move allows organizations to shield their network traffic from quantum attacks without the need to individually upgrade each application or system.
Since 2017, Cloudflare has been actively involved in post-quantum security initiatives. This latest development is in line with the National Institute of Standards and Technology (NIST) effort to transition away from traditional cryptographic algorithms. NIST had announced in November 2024 a phased approach to retiring RSA and Elliptic Curve Cryptography (ECC) by 2035. Nevertheless, Cloudflare has proactively taken steps to ensure its customers are safeguarded well ahead of any quantum computing breakthroughs.
Currently, more than 35% of non-bot HTTPS traffic processed by Cloudflare is already secured with PQC. Additionally, organizations can now leverage the Zero Trust platform to encrypt their network traffic end-to-end with post-quantum cryptography, eliminating the manual overhaul of internal applications and providing immediate protection against quantum threats.
The implementation of PQC protections in Cloudflare’s Zero Trust platform caters to three primary use cases:
– Clientless access: With Cloudflare’s Zero Trust Network Access (ZTNA) solution, every HTTPS request to corporate applications is now secured with PQC, ensuring quantum-resistant connections from web browsers.
– WARP device client: By mid-2025, the WARP client will encrypt all traffic through a PQC-protected connection, irrespective of protocol, to secure corporate devices and ensure private routing across Cloudflare’s global network.
– Secure Web Gateway (SWG): Traffic passing through Cloudflare Gateway is encrypted with PQC, enhancing security measures while adhering to quantum-safe encryption standards.
Apart from securing HTTPS traffic, Cloudflare is also focusing on enhancing security for VPN replacements and other critical network functions. The company is collaborating with banks, ISPs, and governments to deploy PQC solutions, preventing potential “harvest now, decrypt later” attacks where encrypted data is collected for decryption once quantum technology matures.
Cloudflare’s long-term strategy involves transitioning the TLS 1.3 protocol to PQC, encompassing key agreement mechanisms and digital signatures. While key agreement migration is progressing smoothly using the ML-KEM protocol, the adoption of digital signatures poses performance challenges and is still in the early stages.
In conclusion, Cloudflare’s proactive approach to implementing post-quantum cryptography in its Zero Trust platform underscores its commitment to fortifying online communications security and staying ahead of potential quantum threats. This initiative not only benefits Cloudflare’s customers but also contributes to advancing global cybersecurity standards in the face of evolving technological landscapes.