If any kind of proof about serious quantum computers comes to light, browsers can force most websites' hand by marking non-PQ ciphers as insecure.

Maybe it'll require TLS 1.4/QUIC 2, with no changes but the cipher specifications, but it can happen in two or three years. Certificates themselves don't last longer than a year anyway. Corporations running ancient software that doesn't support PQ TLS will have the same configuration options to ignore the security warnings already present for TLS 1.0/plain HTTP connections.

The biggest problem I can imagine is devices talking to the internet no longer receiving firmware updates. If the web host switches protocols, the old clients will start dying off en masses.

Waiting now means rushing even more close to the deadline! We added stats on origin support for post-quantum encryption. Not as much support as browsers of course, but better than I expected. Still a long road (and authentication!). https://radar.cloudflare.com/post-quantum

> Updating websites is going to be so much easier than dealing with other systems (bitcoin probably the worst; data at rest storage systems; hardware).

IPv6 deserves a prominent spot there

Cloudflare has long been doing work on PQ (sometimes in conjunction with Google) and rolled out PQ encryption for our customers. You can read about where this all started for us 7 years back: https://blog.cloudflare.com/towards-post-quantum-cryptograph... and four years ago rolled out PQ encryption for all customers: https://blog.cloudflare.com/post-quantum-for-all/

The big change here is that we're going to roll out PQ authentication as well.

One important decision was to make this "included at no extra cost" with every plan. The last thing the Internet needs is blood-sucking parasites charging extra for this.

That is a beautiful api.

Among cryptography engineers there was a sharp vibe shift over the last 2 months; there are papers supporting that vibe shift, but there's also a rumor mill behind it too. The field has basically aligned fully in a way it hadn't before that this is an urgent concern. The simplest way to put it is that everyone's timeline for a real-world CRQC has shortened. Not everyone has the same timeline, but all those timelines are now shorter, and for some important (based on industry and academic position) practitioners, it's down to "imminent".

It's theory. The concern is for avoiding a (likely, IMO) scenario where the only real indication that someone cracked QC is one or more teams of researchers in the field going dark because they got pulled into some tight-lipped NSA project. If we wait until we have an unambiguous path to QC, it might well be too late.

To avoid the scenario where for a prolonged period of time the intelligence community has secret access to QC, researchers against that type of thing are incentivized to shout fire when they see the glimmerings of a possibly productive path of research.

still theory, but there seems to be an emerging consensus that quantum systems capable of real-world attacks are closer to fruition than most people generally assumed.

Filippo Valsorda (maintainer of Golang's crypto packages, among other things) published a summary yesterday [0] targeted at relative laypeople, with the same "we need to target 2029" bottom line.

0: https://words.filippo.io/crqc-timeline/

Nothing has been broken yet, however data can be collected now and be cracked when the time comes, hence why there is a push.

Theory. And afaik there are still questions as to if the PQ algorithms are actually secure.

Post-quantum algorithms tend to be slower than existing elliptic curve algorithms and require more data to be exchanged to provide equivalent security against attacks run on non-quantum computers.

https://news.ycombinator.com/item?id=47677483

nah. governments around the world are hoovering up traffic today with the hope of a "cheap" (by nation state standards) quantum computer. Some of the secrets sent today are "evergreen" (i.e are still relevant 10+ years into the future), amongst a whole lot of cruft. There is massive incentive to hide the technology to keep your peers transmitting in vulnerable encryption as long as possible.

At least it's time bound: hope to have this job done by 2029!

If we do our job, it changes nothing. Problem with security generally: no spectacle if it's all correct. :)

"Nothing happened for y2k" energy

It would mean that they're future-proofing their security

What do you mean? For as long as I remember (back to late 1994) people understood DES to be inadequate; we used DES-EDE and IDEA (and later RC4) instead. What "secrecy" would there have been? The feasibility of breaking DES given a plausible budget goes all the way back to the late 1970s. The first prize given for demonstrating a DES break was only $10,000.

My read of the recent google blog post is that they framed it as cryptocurrency related stuff just so they don't say the silent thing out loud. But lots of people "in the know" / working on this are taking it much more seriously than just cryptobros go broke. So my hunch is that there's more to it and they didn't want to say it / couldn't / weren't allowed to.