Somewhere in a lab — or perhaps many labs — a quantum computer is inching closer to the moment it can shatter the encryption protecting virtually every transaction, message, and secret on the internet. Nobody knows exactly when that day arrives. Could be five years. Could be fifteen. Could be sooner than anyone expects. And Cloudflare, the company that routes and protects a staggering share of global web traffic, just laid out its most detailed plan yet for what it intends to do about it.
The company published a comprehensive post-quantum cryptography roadmap on its engineering blog, outlining a phased strategy to migrate its entire infrastructure — and by extension, a significant portion of the internet — to cryptographic algorithms that can withstand attacks from quantum computers. It’s an ambitious timeline. And it’s already underway.
The threat is known in cryptographic circles as “harvest now, decrypt later.” Nation-state adversaries and sophisticated attackers are already intercepting and storing encrypted data today, banking on the expectation that future quantum machines will be powerful enough to crack it open. Financial records. Diplomatic communications. Trade secrets. Medical data. All of it sitting in storage, waiting for the right key to turn. The data doesn’t expire. The encryption eventually will.
This isn’t theoretical hand-wringing. The U.S. National Institute of Standards and Technology finalized its first set of post-quantum cryptographic standards in 2024, selecting algorithms like ML-KEM (formerly known as CRYSTALS-Kyber) and ML-DSA (CRYSTALS-Dilithium) as the foundations for quantum-resistant encryption and digital signatures. NIST has been explicit: organizations should begin migrating now. Not next year. Now.
Cloudflare’s roadmap, authored by members of its research and cryptography engineering teams, breaks the migration into concrete phases. The first phase, already largely complete, involved deploying post-quantum key agreement in TLS connections between browsers and Cloudflare’s edge network. Since late 2024, the company says the majority of HTTPS connections to its network already use ML-KEM in a hybrid configuration — combining classical and post-quantum algorithms so that security isn’t degraded even if one turns out to have weaknesses.
That’s the easy part. Relatively speaking.
The harder work lies in what Cloudflare calls the “back half” of the connection: traffic between its edge servers and the origin servers operated by its millions of customers. This is where the company’s roadmap gets granular and, frankly, where the real engineering challenges live. Origin servers run on an enormous variety of software stacks, operating systems, and TLS libraries. Many are managed by small teams or individuals who may not be tracking post-quantum developments at all. Cloudflare can’t simply flip a switch.
According to the blog post, the company plans to enable post-quantum tunnels between its edge and origin servers progressively throughout 2025 and 2026. For customers using Cloudflare Tunnel — a product that creates encrypted connections from origin infrastructure back to Cloudflare’s network without exposing public IP addresses — the migration is more straightforward. The cloudflared connector software can be updated to support post-quantum key exchange, and Cloudflare controls both ends of that tunnel. For traditional HTTPS connections to origin servers, however, the migration depends on origin server operators upgrading their own TLS stacks.
And then there’s everything else. Internal service-to-service communication. Connections to third-party APIs. DNS. Certificate issuance. Each of these represents a distinct migration challenge with its own dependencies, timelines, and failure modes.
The scale of what Cloudflare is attempting matters because of the company’s position in internet infrastructure. Cloudflare says it handles requests for roughly 20% of all websites. Its network spans more than 300 cities across over 100 countries. When Cloudflare makes a cryptographic change, it doesn’t just affect Cloudflare. It ripples outward through the protocols and practices that the broader internet relies on.
The company has been signaling its post-quantum ambitions for years. It conducted one of the first large-scale experiments with post-quantum key exchange in TLS back in 2019, partnering with Google Chrome to test the performance characteristics of lattice-based cryptography on real internet traffic. That experiment, which Cloudflare documented at the time, provided early data showing that post-quantum algorithms could be deployed without catastrophic performance penalties — a concern that had slowed enthusiasm in some quarters.
But performance isn’t nothing. Post-quantum algorithms generally produce larger keys and ciphertexts than their classical counterparts. ML-KEM key encapsulation, for instance, adds roughly a kilobyte to the TLS handshake compared to the X25519 elliptic curve key exchange it supplements. In a world where Cloudflare handles trillions of connections, those extra bytes add up. The company’s engineers have spent considerable effort optimizing implementations, and the roadmap notes that hybrid key exchange — combining X25519 with ML-KEM-768 — has become the default without meaningful degradation in connection times for most users.
Signatures are a different story. Post-quantum signature algorithms like ML-DSA produce signatures that are dramatically larger than those generated by ECDSA or Ed25519. A single ML-DSA-65 signature is roughly 3,300 bytes, compared to 64 bytes for Ed25519. TLS certificate chains typically contain multiple signatures, so the bloat compounds. Cloudflare’s roadmap acknowledges this as one of the most significant unresolved challenges and notes that the company is actively researching approaches including Merkle tree-based signatures and hybrid certificate strategies.
The timeline pressure is real. NIST’s guidance recommends that federal agencies complete their migration to post-quantum cryptography by 2035, with planning and initial deployments happening now. The NSA’s Commercial National Security Algorithm Suite 2.0 mandates post-quantum algorithms for national security systems on a similarly aggressive schedule. But government mandates only directly bind government systems. The private sector, where the vast majority of internet traffic originates, moves according to different incentives.
This is where Cloudflare’s role becomes particularly significant. By building post-quantum support into its platform and enabling it by default, the company effectively migrates a huge swath of web traffic without requiring each individual website operator to become a cryptography expert. It’s an infrastructure-level play. The same logic that made Cloudflare’s push for universal HTTPS and free TLS certificates transformative applies here: reduce the barrier, and adoption follows.
Not everyone is moving at the same pace. Google has been aggressive in deploying post-quantum key exchange in Chrome and across its internal infrastructure. Apple announced post-quantum protections for iMessage in early 2024, implementing what it called PQ3, a protocol designed to provide post-quantum security for messaging. Signal, the encrypted messaging app, rolled out post-quantum protections for its protocol even earlier. But these are consumer-facing applications with centralized control over both endpoints. The open web is a fundamentally different problem.
The challenge of migrating the open web’s TLS infrastructure to post-quantum cryptography has been compared to the Y2K remediation effort — except with less certainty about the deadline and more complexity in the technical execution. Every TLS library needs updating. Every server configuration needs adjustment. Every certificate authority needs to issue new types of certificates. Every client needs to support the new algorithms. And all of this needs to happen while maintaining backward compatibility with systems that haven’t been updated yet.
Cloudflare’s roadmap addresses backward compatibility head-on. The hybrid approach — using both classical and post-quantum algorithms simultaneously — is the core strategy. A connection protected by X25519 and ML-KEM-768 remains secure against classical computers even if ML-KEM is somehow broken, and remains secure against quantum computers even if X25519 falls. This belt-and-suspenders method adds overhead but eliminates the catastrophic risk of betting on a single algorithm family.
The company also flagged its work on post-quantum secured connections for products beyond basic CDN and web application firewall services. Cloudflare One, its zero trust networking platform, is a priority. Enterprises using Cloudflare’s WARP client to connect remote employees to corporate resources will see post-quantum protections extended to those tunnels. Given the sensitivity of corporate traffic flowing through zero trust architectures — internal applications, authentication tokens, proprietary data — this is where the harvest-now-decrypt-later threat bites hardest.
So what’s left to solve? Plenty.
Certificate transparency logs need to accommodate larger post-quantum certificates without breaking the systems that monitor them. OCSP responses and certificate revocation mechanisms need updating. DNSSEC, which protects the integrity of DNS responses, relies on digital signatures that will eventually need post-quantum replacements — and DNSSEC deployment is already frustratingly slow. Email encryption standards like S/MIME and PGP face their own migration challenges. VPN protocols, code signing, secure boot chains, hardware security modules — the list extends far beyond web traffic.
Cloudflare’s roadmap is candid about what it can control and what it can’t. The company can upgrade its own infrastructure. It can make post-quantum the default for traffic it terminates. It can contribute to open-source TLS libraries like BoringSSL and its own fork. It can push standards forward at the IETF. But it can’t force origin servers to upgrade. It can’t make every IoT device or legacy system speak post-quantum TLS. And it can’t predict which algorithms will stand the test of time.
That last point deserves attention. Cryptographic algorithms have been broken before. In 2022, NIST’s initial post-quantum candidate SIKE was spectacularly broken by researchers using a classical computer — not even a quantum one. The algorithm was eliminated from consideration, but the episode underscored the relative immaturity of post-quantum cryptography compared to the decades of analysis behind RSA and elliptic curve algorithms. Hybrid deployment isn’t just a convenience. It’s a hedge against the unknown.
The financial implications are substantial. Enterprises face costs in inventory assessment, software upgrades, testing, and potential hardware replacement. Cryptographic agility — the ability to swap algorithms without rearchitecting systems — has become a priority for security architects, but it’s easier said than done. Many organizations have hard-coded cryptographic choices deep in their software stacks. Extracting and replacing them is tedious, expensive work.
Cloudflare’s pitch is essentially: let us handle the hard part. By absorbing the complexity of post-quantum migration into its platform, the company positions itself as the default choice for organizations that want quantum resistance without the engineering burden. It’s a competitive moat disguised as a public good. And it might work.
The company’s track record on cryptographic transitions lends credibility. Cloudflare was among the first major providers to deploy TLS 1.3 at scale, to support ESNI (now ECH) for encrypted client hello, and to push for DNS-over-HTTPS adoption. Each of these moves followed a similar pattern: early experimentation, public research, standards participation, and then default-on deployment across the network. The post-quantum migration appears to be following the same playbook, just at a larger scale and with higher stakes.
Industry analysts have noted that the post-quantum migration represents one of the largest coordinated technology transitions since the move from IPv4 to IPv6 — a transition that, notably, still isn’t complete after more than two decades. The hope is that post-quantum cryptography won’t follow the same glacial trajectory. The difference, proponents argue, is that the consequences of inaction are more concrete and more severe. A quantum computer capable of breaking RSA-2048 doesn’t just create an inconvenience. It creates a catastrophe.
Whether that urgency translates into actual deployment speed remains to be seen. Cloudflare is betting it will. The roadmap isn’t a white paper or a thought exercise. It’s a production schedule, with dates, milestones, and engineering commitments. The company says it expects the majority of traffic flowing through its network to be protected by post-quantum cryptography — on both the front and back halves of the connection — by the end of 2026.
That’s eighteen months from now. The quantum clock keeps ticking.
WebProNews is an iEntry Publication