Warp
14 hours ago
- #Post-Quantum Cryptography
- #Cloudflare WARP
- #Internet Security
- The Internet is transitioning to post-quantum cryptography (PQC) to prepare for Q-Day, when quantum computers may break classical cryptography.
- Cloudflare has upgraded its WARP client to support post-quantum key agreement, protecting traffic from harvest-now-decrypt-later attacks.
- Over 45% of human-generated Internet traffic to Cloudflare's network is already post-quantum encrypted, ahead of NIST's 2030/2035 deadlines.
- The WARP client uses post-quantum MASQUE tunnels for end-to-end quantum encryption, even if individual connections are not yet PQC-upgraded.
- Post-quantum key agreement is mature and performant; ML-KEM in hybrid mode with TLS 1.3 outperforms TLS 1.2 with classical cryptography.
- Upgrading the WARP client is challenging due to its deployment on millions of user devices across five operating systems, requiring careful rollout.
- Cloudflare uses a phased approach with temporary PQC downgrades, gradual rollout, and MDM overrides to ensure robustness and security.
- The WARP client supports FIPS-compliant cryptography for FedRAMP certification, using hybrid key agreements like P256Kyber768Draft00.
- Post-quantum signatures and certificates are still being standardized; Cloudflare plans to upgrade the WARP client to support them in the future.
- Cloudflare offers PQC at no extra cost, with the WARP client available for free consumer use and enterprise zero-trust subscriptions.