Cloudflare Leads the Charge in Post-Quantum Cryptography Deployment

Mozilla Firefox, Google Chrome, and Android already support post-quantum cryptography (PQC) in hybrid mode, and with the anticipated launch of iOS 26 in September 2025, Apple will bring HTTP PQC to a vast majority of its users, marking a significant step toward a quantum-resistant internet.

The escalating threat posed by quantum computing to current encryption standards has spurred a global race to adopt PQC. Cloudflare, a leading provider of web infrastructure and security services, is at the forefront of this effort, implementing PQC across its network in a phased approach. This deployment, visualized as a three-zone connection between a user, Cloudflare’s edge network, and a company’s server, ensures increasing levels of quantum resistance.

Zone 1: Securing the Client Connection

The initial leg of the connection – between the user and Cloudflare – is seeing rapid PQC adoption. According to a company release, major browsers like Mozilla Firefox, Google Chrome, and Android already offer PQC support in hybrid mode. Apple’s forthcoming iOS 26, slated for release in September 2025, is expected to extend this protection to a large segment of Apple users.

For users seeking immediate PQC protection, the free Cloudflare WARP client offers a tunneled connection utilizing PQC. When used on MacOS, Cloudflare functions as a Secure Web Gateway, ensuring all traffic is encrypted with post-quantum algorithms. This client leverages the MASQUE protocol, which inherently employs PQC, providing a robust security layer for all customers. Business users benefit from WARP’s integration with Zero Trust Network Access, offering enhanced security features.

Zone 2: Cloudflare’s Edge Network – Fully Quantum-Resistant

Cloudflare began deploying PQC across its entire network in 2023, and as of today, PQC is fully implemented between all its edge nodes. This means that regardless of whether the client (Zone 1) or the server (Zone 3) is PQC-ready, a secure, post-quantum encrypted connection is established between the user and Cloudflare’s network, and between the network and the server.

Zone 3: Bringing PQC to the Server

The final segment of the connection – between Cloudflare’s edge network and the company’s server – requires server-side support for PQC. The OpenSSL Foundation’s release of version 3.5, featuring hybrid ML-KEM support in TLS v1.3, has made this possible. Servers updated to this version and properly configured are now equipped to utilize PQC.

However, not all servers have been updated. To bridge this gap, Cloudflare offers Cloudflared, a tunneling service that utilizes MASQUE with PQC to connect a server to the Cloudflare platform. Users can download Cloudflared from GitHub, run it on their server, and link it to their Cloudflare account, effectively securing the final leg of their connection with post-quantum cryptography.

“At least part of the traffic will always be encrypted with post-quantum cryptography,” one analyst noted, highlighting the layered approach to security.

Cloudflare’s comprehensive strategy ensures that even in scenarios where only some zones support PQC, a degree of quantum resistance is maintained. As advancements in quantum computing continue, proactive measures like these are crucial for safeguarding data and maintaining a secure online environment.