DEV Community

Cover image for The Internet Is Only Half-Protected From Q-Day — And It's the Wrong Half
Sonia Bobrik
Sonia Bobrik

Posted on

The Internet Is Only Half-Protected From Q-Day — And It's the Wrong Half

There's a number that should unsettle every engineer who ships software for a living: roughly half. That's how much of the web's traffic is now shielded against quantum decryption — and it's also how much isn't. Analysts who model what researchers call the cryptographic countdown, laid out in detail in this examination of why files encrypted today may be readable by 2031, argue that the deadline for finishing the job is not set by us. It's set by whoever is quietly recording our traffic right now. And the half of the migration we've completed turns out to have been the easy half.

The Math That Decides Whether You're Already Late

In 2015, cryptographer Michele Mosca compressed the entire quantum threat into one inequality. Call X the number of years your data must remain confidential. Call Y the number of years your migration to quantum-safe cryptography will take. Call Z the number of years until a cryptographically relevant quantum computer exists. If X + Y > Z, you have a problem — not in the future, but today, because traffic captured before your migration finishes gets decrypted retroactively.

Plug in realistic values. Health records, legal archives, and source-code secrets need confidentiality for 10–25 years. Enterprise cryptographic migrations historically take 5–10 years (the SHA-1 deprecation took over a decade, and that was a far simpler swap). Estimates for Z keep shrinking: hardware announcements over the past two years have repeatedly beaten forecasts, including Google's demonstration of the first verifiable quantum advantage on real hardware, where its Willow chip ran an algorithm 13,000 times faster than the best classical method on a leading supercomputer — a result published in Nature, not a press-release benchmark. Nobody serious claims Willow breaks RSA. But every below-threshold error-correction milestone compresses Z, and the inequality doesn't care about our optimism.

What Actually Got Fixed: Key Agreement

Credit where it's due — the industry executed one part of this transition faster than any cryptographic migration in history. Chrome turned on hybrid post-quantum key exchange by default in April 2024, Firefox followed that November, and Apple's ecosystem joined in late 2025. Akamai made post-quantum key exchange the default for all client connections in January 2026. The result: by 2026, more than 60% of human-generated TLS traffic reaching major edge networks negotiates X25519MLKEM768 — classical elliptic-curve math and the lattice-based ML-KEM running in parallel, so breaking the connection requires defeating both.

This is the piece that neutralizes harvest-now-decrypt-later for data in transit. If your API endpoints, tunnels, and internal service mesh use hybrid key agreement today, an adversary's tape archive of your 2026 traffic stays ciphertext forever. If they don't, every packet is a deferred breach.

What Didn't Get Fixed: Signatures, Certificates, and Everything at Rest

Here's the uncomfortable second half. Engineers tracking the transition closely — including the team behind Cloudflare's annual state of the post-quantum Internet report — describe a strange in-between era: nearly all traffic protected by post-quantum key agreement, while essentially zero public post-quantum certificates exist in the wild. The bottlenecks are unglamorous: HSM hardware support, certification audits, CA/Browser Forum approvals, and IETF debates over hybrid certificate formats. Broadly trusted post-quantum certificates likely won't be routine before 2027.

Why does that matter? Because signatures are what stop a future quantum attacker from impersonating your server, forging your software updates, or minting fake certificates. Key agreement protects secrets recorded today; signatures protect trust exercised tomorrow. ML-DSA signatures are also enormous compared to ECDSA — a full post-quantum certificate chain adds kilobytes to every handshake — which is why so many teams are stalling. And beyond TLS lies the long tail nobody budgets for: code-signing infrastructure, firmware on ten-year-lifecycle IoT devices, DNSSEC, encrypted backups, PGP archives, and blockchain key schemes.

A Concrete 90-Day Plan That Costs Almost Nothing

The paralysis is unnecessary. A small team can materially shrink its Y this quarter:

  • Week 1–2: Generate a cryptographic inventory. Grep for RSA, ECDH, ECDSA, and fixed key sizes across repos, Terraform, and vendor configs. Tag each finding with the confidentiality lifetime of the data it protects.
  • Week 3–6: Enable hybrid key agreement everywhere your stack allows it — modern TLS terminators, OpenSSH 9.x, WireGuard alternatives, CDN edge settings. For most teams this is configuration, not code.
  • Week 7–10: Kill hard-coded algorithm assumptions. Anywhere a wire format, database column, or protobuf field assumes a 256-bit signature or a 32-byte key, introduce versioning. This is the crypto-agility that makes the next migration cheap.
  • Week 11–13: Send every critical vendor a written question: what is your post-quantum roadmap and date? File the answers. Silence is a risk score.

The Deadline Nobody Announced

Regulators have quietly stopped treating this as optional: U.S. federal guidance now targets 2030 for transitioning away from quantum-vulnerable algorithms and 2035 for disallowing them entirely. But the real deadline arrived earlier, unannounced, the day storage became cheap enough to record everything. The half of the migration that remains — signatures, certificates, firmware, archives — is the slow, political, budget-fighting half. Mosca's inequality is already evaluating your organization. The only variable you control is Y, and the clock on it started without you.

Top comments (0)