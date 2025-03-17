Cloudflare has taken a significant step toward securing online communications against future quantum threats by introducing post-quantum cryptography (PQC) protections in its Zero Trust platform.

This move allows organizations to safeguard their corporate network traffic from potential quantum computing attacks without individually upgrading each application or system.

Cloudflare has been actively working on post-quantum security since 2017. The move aligns with efforts by the National Institute of Standards and Technology (NIST) to transition away from conventional cryptographic algorithms.

In November 2024, NIST announced a phased approach to retire RSA and Elliptic Curve Cryptography (ECC), with full deprecation scheduled by 2035. However, Cloudflare is moving ahead of this timeline to ensure its customers remain protected well in advance of quantum computing breakthroughs.

At the time of writing, over 35% of non-bot HTTPS traffic passing through Cloudflare is already secured using PQC. The company has also announced that organizations can now utilize its Zero Trust platform to encrypt corporate network traffic end-to-end with post-quantum cryptography. This upgrade eliminates the need for businesses to overhaul their internal applications manually, offering immediate protection against quantum threats.

Three primary use cases have been outlined for the PQC protections in Cloudflare’s Zero Trust platform:

Clientless access : Cloudflare’s Zero Trust Network Access (ZTNA) solution now secures every HTTPS request to corporate applications with PQC, ensuring quantum-resistant connections from web browsers

: Cloudflare’s Zero Trust Network Access (ZTNA) solution now secures every HTTPS request to corporate applications with PQC, ensuring quantum-resistant connections from web browsers WARP device client : By mid-2025, the WARP client will encrypt all traffic – regardless of protocol – through a PQC-protected connection. This will secure corporate devices and ensure private routing across Cloudflare’s global network

: By mid-2025, the WARP client will encrypt all traffic – regardless of protocol – through a PQC-protected connection. This will secure corporate devices and ensure private routing across Cloudflare’s global network Secure Web Gateway (SWG): TLS traffic passing through Cloudflare Gateway is now encrypted with PQC, blocking threats while maintaining compliance with quantum-safe encryption standards

Beyond HTTPS, Cloudflare is also prioritizing security for VPN replacements and other critical network functions. The company is reportedly working with banks, ISPs and governments to implement PQC solutions, preventing “harvest now, decrypt later” attacks where adversaries collect encrypted data to decrypt once quantum technology matures.

Cloudflare’s long-term approach focuses on migrating the TLS 1.3 protocol to PQC, addressing both key agreement mechanisms and digital signatures. While key agreement migration is well underway using the ML-KEM protocol, digital signatures present a performance challenge and are currently in the early stages of adoption.