Post-Quantum Cryptography: Protecting Your Traffic Against Future Threats

The encryption that protects communications between browsers, APIs and origin servers today is based on algorithms such as RSA and Elliptic Curve Cryptography (ECC), which are secure against traditional computing but vulnerable to the development of large-scale quantum computers that will have enough power to break them.

If your traffic is not protected with post-quantum cryptography, the confidentiality of those communications is already compromised in the long term.

The Problem: Harvest Now, Decrypt Later

Harvest now, decrypt later (HNDL) attacks do not require a quantum computer today. A malicious actor can intercept and store encrypted traffic—API requests, authentication tokens or sensitive data in transit—and wait until they have the computational power to decrypt it. For critical data with a long lifespan, such as financial information, medical records or login credentials, this window of exposure is already open.

The National Institute of Standards and Technology (NIST) published the first post-quantum cryptography standards in August 2024: ML-KEM for key agreements, and ML-DSA and SLH-DSA for digital signatures. It has also set 2030 as the deadline for deprecating RSA and ECC.

Transparent Edge’s Response

Transparent Edge implements post-quantum encryption at the transport layer to secure communications between the user’s browser and your infrastructure, without requiring you to modify your origin servers or your application.

The deployment of the protection strategy includes:

• Hybrid key exchange: Transparent Edge establishes the TLS 1.3 handshake using ML-KEM in combination with classic ECDHE. The session key is derived from the most secure algorithm supported by the client, ensuring a secure connection without breaking compatibility with older devices.
• Edge-to-browser coverage: PQC encryption is applied to the connection between the client (browser) and the Transparent Edge edge, which is the segment most exposed to traffic capture.
• No changes to the origin server: Transparent Edge acts as a TLS proxy. Your origin does not need native ML-KEM support for client-edge traffic to be protected.
• Default activation: PQC protection is enabled without additional configuration, following the same principle that has guided the adoption of TLS in the industry: security by default is the only way to protect infrastructure at scale.
• Compatibility with major browsers: Chrome, Firefox and Edge already support ML-KEM, which means the percentage of actual traffic protected is significant from day one.

Key Benefits

Protection Against HNDL

It ensures that data intercepted today remains unreadable to future quantum decryption capabilities.

Frictionless Operation

It does not require dedicated physical connectivity between client and server. PQC runs on the existing network infrastructure without the need for specialised hardware. The performance impact is minimal, even on short-lived TLS connections.

Early Regulatory Compliance

Alignment with future guidelines from organisations like NIST and government agencies that already require quantum migration plans. Adopting ML-KEM now positions your infrastructure to meet the requirements that will be mandatory in the coming years.

What Does Perimetrical Offer to Adopt PQC?

Our clients gain an advanced layer of protection without impacting the operation of their services. By delegating encryption management to our distributed network, clients avoid the technical complexity of reconfiguring their origin servers or updating critical cryptographic libraries.

The key advantage is the guarantee that your digital assets and your users’ privacy are protected against the technological obsolescence of current encryption systems.

How Is It Activated and What Is the Cost?

Post-quantum cryptography support is enabled by default for all traffic using TLS 1.3 and compatible browsers (such as recent versions of Chrome, Firefox or Edge). No manual intervention or additional configuration is required. This functionality is integrated as a security standard across all our services, so there is no additional cost.