Is Your Data Future‑Proof? Understanding Post‑Quantum Security Today 

Author: Luc Cook 

If you've been around the internet at all, you're almost certainly familiar with HTTPS, otherwise known as that little lock that appears in the web browser to tell you that you're on a 'safe' website. What that means is that behind the scenes, your device and the server hosting the website have agreed upon a way of encrypting the messages sent between them, so that no third parties can read what is being sent. 

It is easy to take this for granted, but only relatively recently it was more common for web communication to be unencrypted than encrypted. Google’s transparency report states that when it began collecting data from Chrome users in early 2015, only around 29% to 45% of web pages, depending on the device, were delivered over HTTPS. Today all devices, except for Linux at 86%, clock at over 95%. 

The adoption of HTTPS has, inarguably, been a success. It is incredibly rare to come across a website using only HTTP in the wild, and if you do, your browser will likely alert you that any data you send to that website's host could be read by ill-intending third parties. 

But the classic methods we've relied on to keep our data safe online may soon not be fit for purpose. As quantum computing moves from theory to reality, companies such as Signal , WhatsApp and Cloudflare  are all trying to evaluate the risk of, and harden their encryption protocols against, quantum computers designed to bypass modern encryption protocols. 

While these global companies are aware of the risk, their production-ready solutions for implementing full post-quantum cryptography are still some way off. 

Away from the big companies, the research association Rosenpass have released their solution for adding post quantum encryption to the Wireguard VPN protocol. However, this is currently only supported by a handful of providers, and not yet available for mobile devices. 

Harvest now, decrypt later 

If quantum computers are still years away from real-world use, with most estimates pinning the day that quantum computers will be able to break modern encryption methods being in 2029 (AKA ‘Q-Day') at the earliest, why be concerned now?  

The answer to this lies in the use of a cyber attack method called 'Harvest now, decrypt later (HNDL)' This isn't a new attack method, but it had fallen out of general use due to the rise of HTTPS making it computationally inefficient. The theory goes that if you can gather encrypted internet traffic now, you can store it, then decrypt it when you eventually have access to a quantum computer.  

Data that is only valuable for a short period after transmission, such as expiring payment details or other non-sensitive information, poses less of a concern. However, long-lived data, including legal agreements, proprietary research, health records, and defence information is far more vulnerable to this approach. As quantum computing becomes more widely accessible, an increasing share of data currently seen as low risk will shift into this higher-risk category. 

It might be the case that as we get closer to ‘Q-Day', public advice will encourage people to change any passwords that have been transferred over non-quantum hardened services, in case they've been caught up in a HNDL collection, or we'll see more services abandoning passwords entirely, switching to solely passkey + TOTP authentication. 

The other concern is the potential speed of adoption of post quantum cryptography protocols. As the Google transparency report shows, after the campaign by the Electronic Frontier Foundation in 2016 to encourage widespread HTTPS adoption, it still took 5 years for all major platforms (excluding Linux) to get to 90% of pages loaded over HTTPS. If the rollout of post quantum encryption followed a similar timeline, it's possible that a lot of services we rely on won't be 'quantum ready' in time.  

Cloudflare and Google are both targeting 2029 for full post quantum rollout, 6 years earlier than the NCSC currently recommends, and the same year that IBM's Quantum Safe CTO expects to see quantum computing being used against high value targets. 

Staying ahead of the game 

So what can you do today to protect yourself and your interests against your data being decrypted tomorrow? 

If you are working with long-lived sensitive data, consider looking into ways to secure this data in transit against future decryption, such as using Wireguard, hardened by Rosenpass, to establish a post quantum secure tunnel between peers.  

For encrypted communications, if you can't wait for Signal or WhatsApp to finish their implementations, Cloudflare have published a guide to running a post quantum matrix server on Cloudflare workers.  

For everything else, we may just have to wait and see. 

Got a question about post quantum cryptography? Get in touch to speak to the coc00n team.  

About the author

Luc Cook is a full stack developer at coc00n. His focus is on delivering secure applications to enhance device security and tooling to help clients understand and manage their risk and security profile.