The State of Post-Quantum Cryptography (PQC) on the Web
10 months ago
- #post-quantum cryptography
- #quantum computing
- #cybersecurity
- Q-Day (when quantum computers can break public key cryptography) is predicted to arrive as early as 2029.
- Only 5% of CISOs consider post-quantum cryptography (PQC) a high business priority.
- Only 8.6% of the top 1 million websites support hybrid PQC key exchange mechanisms.
- 25% of websites still do not support TLS 1.3, and 16% lack quantum-resistant symmetric ciphers.
- PQC adoption is higher among top websites (42% of the top 100) but drops significantly beyond the top 1,000.
- Banking, healthcare, and government sectors lag in PQC adoption, with banking at just 3%.
- Websites with PQC enabled tend to have stronger overall TLS configurations and fewer outdated cipher suites.
- Countries like Australia (.au), Canada (.ca), and the UK (.uk) lead in PQC deployment.
- 93% of Chrome requests are PQC-ready, but Safari's lack of support reduces global readiness to 57%.
- NIST has standardized PQC algorithms like CRYSTALS-Kyber (ML-KEM) and CRYSTALS-Dilithium (ML-DSA).
- Hybrid ciphers combine classical and PQC algorithms to maintain security during the transition.
- TLS 1.3 is essential for PQC support, but 71.3% of the top 1 million sites prefer it, with many still on TLS 1.2.
- Quantum computers will enable forging of digital signatures, undermining trust in TLS certificates and software updates.
- Organizations must start planning for PQC adoption now to protect sensitive data with long-term confidentiality requirements.