Google quantum warning spurs crypto work
A Google alert about post‑quantum risks has prompted vendors to re‑prioritise cryptographic migrations, with Cloudflare saying it is actively adjusting its roadmap in response. Security coverage notes that other cloud and networking providers are revisiting their post‑quantum plans after the warning, signalling a renewed cross‑industry migration effort for long‑lived keys and protocols (csoonline.com).
Most internet encryption works like a padlock built around math problems that ordinary computers take centuries to solve, but a large enough quantum computer could rip through some of those problems fast enough to expose stored traffic and long-lived keys. Google spent February and March 2026 telling the web industry to start rebuilding parts of that lock system now, not later. (security.googleblog.com 1) (security.googleblog.com 2) The immediate danger is not that someone has a magic quantum machine today. The danger is “harvest now, decrypt later,” where attackers copy encrypted traffic in 2026 and wait for stronger machines to read it years from now. (cloud.google.com) (blog.cloudflare.com) That threat hits long-lived secrets first. A certificate authority root key, an operating system trust anchor, or a device identity meant to last 10 or 20 years has a much bigger problem than a short web session that disappears in minutes. (chromium.org) (security.googleblog.com) Google’s latest warning was aimed at that plumbing. In February 2026, Chrome announced a new Quantum-resistant Root Program that would run alongside its existing browser trust store instead of trying to bolt quantum-safe certificates onto the old system. (security.googleblog.com) A browser trust store is the built-in guest list that tells Chrome which certificate authorities can vouch for a website. If that guest list is wrong, the little lock icon can be fooled even when the connection looks normal. (security.googleblog.com) Google followed that with a February 27 roadmap from the Chromium team for post-quantum Hypertext Transfer Protocol Secure authentication, which is the part of a secure web connection that proves the server really is who it claims to be. The document says Chromium has no immediate plan to accept traditional digital certificates stuffed with post-quantum algorithms, because the old certificate format does not scale cleanly for the new job. (chromium.org) (security.googleblog.com) That is what jolted vendors. Cloudflare said on April 7 that it was accelerating its own plan and now targets 2029 for being fully post-quantum secure, including the harder piece: authentication, not just encryption in transit. (blog.cloudflare.com) Cloudflare had already been pushing post-quantum tunnels for corporate traffic and post-quantum protection in its WARP client, which is its secure networking app for consumers and businesses. The new move is broader because it shifts the company’s deadline for the whole platform after Google signaled that the certificate system itself needs redesign work. (blog.cloudflare.com 1) (blog.cloudflare.com 2) (blog.cloudflare.com 3) The standards world has been moving too. The United States National Institute of Standards and Technology has already standardized post-quantum algorithms, and industry reporting says it is steering users away from legacy public-key systems by 2030 with retirement planned for 2035. (cloud.google.com) (csoonline.com) So this is turning from a lab project into a construction project. Browser makers are redesigning trust stores, cloud providers are moving roadmaps forward, and every company with certificates, hardware roots of trust, or archived sensitive traffic now has to inventory which secrets still need to be safe in the 2030s. (security.googleblog.com) (blog.cloudflare.com) (csoonline.com)
