Cloudflare accelerates post‑quantum plans

The locks that protect most internet traffic were designed for ordinary computers, and a large enough quantum computer would solve the math behind those locks much faster than today’s machines can. Cloudflare said on April 7 that it is now aiming to make its services fully post‑quantum secure by 2029, including the login and certificate systems that prove who you are online. (blog.cloudflare.com) Post‑quantum cryptography is the replacement lockset: new encryption and signature methods built to survive a quantum attack without needing a quantum computer to run them. The U.S. National Institute of Standards and Technology finalized its first three post‑quantum standards on August 13, 2024, which turned this from a lab project into a real migration plan for vendors and governments. (nist.gov) For the last few years, the easier part of this shift was protecting secrecy in transit, which is the step that scrambles a message while it moves between a browser and a server. Cloudflare said it enabled post‑quantum encryption for all websites and application programming interfaces on its network in 2022, and more than 65% of human traffic to Cloudflare now uses post‑quantum encryption. (blog.cloudflare.com) The harder part is authentication, which is the proof that a website, device, employee, or software update is really what it claims to be. Google said on March 25 that it had changed its threat model to prioritize post‑quantum migration for authentication services, because digital signatures have to be replaced before a cryptographically relevant quantum computer exists. (blog.google) That shift is why Cloudflare’s update is not just “more encryption.” Cloudflare said its 2029 target now includes post‑quantum authentication, and CSO reported that the company is “actively adjusting” priorities after Google moved faster and after new research narrowed the estimates for breaking widely used elliptic curve cryptography. (blog.cloudflare.com) (csoonline.com) The immediate risk is not that criminals are breaking bank logins with quantum computers in April 2026. The immediate risk is “harvest now, decrypt later,” where attackers steal encrypted traffic, health records, contracts, or government files today and wait years for better machines to open them. (blog.cloudflare.com) (cloudflare.net) Cloudflare says it began preparing for this migration in 2019, and the company has been moving piece by piece through browsers, application programming interfaces, internal connections, and corporate networking products. In February 2026, it said Cloudflare One had become a full Secure Access Service Edge platform with modern post‑quantum encryption across its major network configurations. (blog.cloudflare.com) (cloudflare.net) The 2029 date matters because the official government glide path is slower. CSO, citing the National Institute of Standards and Technology draft transition plan, said older public‑key systems are set for deprecation in 2030 and retirement in 2035, so Google and Cloudflare are now working years ahead of that outer deadline. (csoonline.com) (csrc.nist.gov) Cloudflare also put a concrete date on one visible piece of the change: it plans to deploy post‑quantum certificates in 2027 for browser connections, according to CSO. That is the digital passport layer of the web, and swapping it out is closer to replacing road signs on every highway than installing one new app. (csoonline.com) What changed in the last few weeks was not a public “Q‑Day” machine suddenly appearing. Google said advances in hardware, error correction, and factoring estimates forced a 2029 migration timeline, and Cloudflare said credible new research and rapid industry developments made the deadline “much sooner than expected.” (blog.google) (blog.cloudflare.com) When companies that sit in the middle of so much internet traffic start pulling deadlines forward, everyone connected to them inherits the clock. Banks, hospitals, software vendors, and government agencies can keep using old cryptography for a while, but the companies carrying their traffic are already redesigning the pipes around a 2029 world. (blog.cloudflare.com) (blog.google)