Cloudflare Introduces Post-Quantum Encryption To Defend Against Future Quantum Threats

Cloudflare, a leading DDoS-mitigation service, has taken a major step toward securing online communications against future quantum threats by integrating post-quantum cryptography (PQC) protections into its Zero Trust platform.

This advancement enables organizations to protect their corporate network traffic from potential quantum computing attacks without the need to individually upgrade each application or system.

This initiative is part of Cloudflare’s broader strategy to future-proof its services against the potential risks posed by quantum computing. While experts believe practical quantum computers capable of breaking classical encryption remain years or even decades away, the company is proactively preparing for this evolving landscape.

The National Institute of Standards and Technology (NIST) has advised the private sector and other organizations to begin the laborious process of replacing their older encryption. The goal is to have most of our digital data and devices protected by post-quantum algorithms by 2030. The adoption of such encryption by major service providers like Cloudflare is an important component of that migration strategy. According to 2022 data from We3Techs, Cloudflare’s services are used by 1 out of every 5 websites, while Netcraft has found it was used by nearly 20% of the million busiest websites on the internet. Many of the world’s largest websites rely on Cloudflare’s services to defend against DDoS attacks.

For over a decade, NIST has been developing strategies to protect sensitive data from future quantum threats. The agency has approved five new encryption algorithms and is urging widespread adoption. The urgency stems from concerns that adversaries may be stockpiling encrypted data today, with plans to decrypt it once quantum technology matures.

Some experts also warn of the risk of a “technological surprise,” where quantum breakthroughs occur sooner than expected, leaving unprepared organizations vulnerable. This uncertainty has led many businesses to weigh how quickly and aggressively they should transition to post-quantum security.

Since 2017, Cloudflare has been actively developing post-quantum security solutions, aligning with the National Institute of Standards and Technology’s (NIST) efforts to transition away from traditional cryptographic algorithms. In November 2024, NIST announced a phased plan to retire RSA and Elliptic Curve Cryptography (ECC), with full deprecation set for 2035. However, Cloudflare is proactively implementing PQC ahead of this timeline to ensure customers remain protected well before quantum computing poses a real threat.

Currently, over 35% of non-bot HTTPS traffic passing through Cloudflare is already secured with PQC. Additionally, organizations can now leverage Cloudflare’s Zero Trust platform to encrypt corporate network traffic end-to-end with post-quantum cryptography. This enhancement eliminates the need for businesses to manually upgrade internal applications, providing immediate protection against quantum threats.

Key PQC Use Cases in Cloudflare’s Zero Trust Platform:

• Clientless Access: Cloudflare’s Zero Trust Network Access (ZTNA) solution now secures every HTTPS request to corporate applications with PQC, ensuring quantum-resistant browser connections.
• WARP Device Client: By mid-2025, the WARP client will encrypt all traffic—regardless of protocol—via a PQC-protected connection, securing corporate devices and enabling private routing through Cloudflare’s global network.
• Secure Web Gateway (SWG): TLS traffic passing through Cloudflare Gateway is now encrypted with PQC, enhancing security while maintaining compliance with quantum-safe encryption standards.

Beyond HTTPS, Cloudflare is prioritizing security for VPN replacements and other critical network functions. The company is actively collaborating with banks, ISPs, and governments to deploy PQC solutions, mitigating “harvest now, decrypt later” attacks—where adversaries collect encrypted data to decrypt once quantum computing becomes viable.

Cloudflare’s long-term strategy focuses on transitioning the TLS 1.3 protocol to PQC, addressing both key agreement mechanisms and digital signatures. While key agreement migration is advancing with the ML-KEM protocol, digital signature adoption presents performance challenges and remains in the early stages.

DDoS Attacks Overview

Distributed Denial of Service (DDoS) attacks can be categorized into three main types: volumetric attacks, protocol attacks, and resource layer attacks.

1. Volumetric Attack: This type of attack aims to flood the network with traffic that initially appears legitimate. Volumetric attacks are the most frequent type of DDoS attack. A common example is DNS (Domain Name Server) amplification, which leverages open DNS servers to overwhelm a target with an excessive volume of DNS response traffic.
2. Protocol Attack: Protocol attacks disrupt services by exploiting weaknesses in the layer 3 and layer 4 protocol stack. A well-known example is a SYN flood attack, where an attacker consumes all available server resources by repeatedly initiating connection requests.
3. Resource (or Application) Layer Attack: This type of attack focuses on targeting web application packets, disrupting the flow of data between hosts. Examples include HTTP protocol violations, SQL injections, cross-site scripting, and other layer 7 attacks.

Cyber-attackers may use a combination of these types to maximize damage. For instance, an attack might start as one type and evolve into or combine with others to amplify its impact on the target system.

Furthermore, each category contains a variety of attack methods, with the frequency of new cyber threats continuing to rise as attackers become more advanced.

How to Detect and Respond to a DDoS Attack

Although there isn’t a single method to detect a DDoS attack, there are a few telltale signs your network might be under assault:

• A sudden and unusual spike in web traffic, often from the same IP address or range.
• A significant slowdown in network performance or erratic behavior.
• Complete inaccessibility of your website, online store, or service.

Modern security software can assist in identifying potential threats by alerting you to unusual system changes, allowing for quick responses. It’s also vital to have a pre-defined DDoS action plan in place, detailing specific roles and response procedures. Since not all DDoS attacks are identical, it’s crucial to tailor your response to the particular attack you're facing.

How to Prevent DDoS Attacks

Prevention is the best defense. Having a well-prepared process in place before a cyberthreat emerges is critical for detecting and addressing attacks promptly.

Here are some key steps to prepare:

• Develop a comprehensive denial-of-service defense strategy to detect, prevent, and mitigate DDoS attacks.
• Regularly assess potential threats and identify any vulnerabilities in your security setup.
• Ensure all protective software and technologies are up to date and functioning properly.
• Train your team and assign clear roles in case of an attack.

By implementing the right products, processes, and services, your business will be better equipped to respond when an attack is detected.

DDoS Protection

To better protect your network from future attacks, consider the following actions:

• Conduct regular risk assessments to identify areas that need threat protection.
• Establish a dedicated DDoS response team tasked with identifying and addressing attacks.
• Implement robust detection and prevention tools across your online operations, and train employees on what to watch out for.
• Continuously evaluate the effectiveness of your defense strategy, conduct practice drills, and plan for next steps to improve.

A proactive approach to DDoS protection is essential for safeguarding your business from evolving cyber threats.