Over a seven-day measurement period, human-generated HTTPS requests using post-quantum key exchange recently surpassed 70 percent, according to Cloudflare’s telemetry.
The 70 percent milestone in Cloudflare telemetry
Cloudflare’s data, presented during the webinar “Securing the DoW’s Digital Perimeter with Cloudflare One PQC,” shows post-quantum key exchange is no longer an experimental trickle — it is already protecting billions of requests every day. That visibility across a large slice of internet traffic gives a real-world barometer for how quickly post-quantum cryptography (PQC) is being deployed at the transport layer.
Yet the same telemetry tells a story of uneven adoption: client and server support must align for the measurement to grow, and Cloudflare notes significant infrastructure upgrades remain necessary before PQC is pervasive.
Harvest now, decrypt later: the threat shaping strategy today
The motivating risk driving this work is the “harvest now, decrypt later” scenario: adversaries collect encrypted traffic today with the expectation that future quantum capabilities will permit decryption. That risk is already influencing long-term data protection planning for agencies and enterprises, according to the webinar discussion.
Cloudflare’s framing treats post-quantum protections as an immediate design consideration rather than a distant roadmap item — blocking future quantum adversaries from attacking live systems after a so-called “Q-day,” in the words of Jeremy Corey, Senior Solutions Engineer at Cloudflare.
Cloudflare’s post-quantum authentication roadmap: ML-DSA and Merkle Tree Certificates
To reduce the long-term risk of attackers impersonating trusted websites and services, Cloudflare is building a post-quantum authentication roadmap that supports ML-DSA and Merkle Tree Certificates (MTCs). Jeremy Corey described MTCs as “an answer to the next generation of certificate formats that enables post-quantum signatures at scale.”
The roadmap aims to let organizations transition toward quantum-safe authentication while preserving the performance characteristics needed for large-scale internet environments. That balance — security without unacceptable latency — is central to the approach Cloudflare described.
TLS handshakes, signature size, and operational limits
Corey highlighted a core technical constraint slowing widespread PQC replacement: “Post-quantum signatures are 10 to 100 times larger than classical encryption-based digital signatures.” Those larger signature sizes have a measurable impact on TLS handshake performance across the internet.
Cloudflare also reported a deployment gap at origin infrastructure: “Only 10 percent of our customer origin servers sitting behind Cloudflare’s network support hybrid PQC.” That gap underscores the operational and infrastructure changes organizations must make to realize end-to-end post-quantum protection.
What this means for federal agencies, enterprises, and end users
- Federal agencies: As federal agencies modernize digital infrastructure, the shift to post-quantum security will increasingly influence cyber resilience and identity protection strategies; agencies will need to plan for infrastructure upgrades and hybrid deployments, per the webinar’s framing.
- Enterprises and Cloudflare customers: Enterprises must reconcile the performance costs of larger post-quantum signatures with the benefits of long-term confidentiality; the telemetry showing billions of daily requests and the 10 percent origin support figure point to an operational transition window rather than immediate, universal change.
- End users: While much of the heavy lifting happens in networks and origin servers, end users already touch post-quantum protections when their browsers and services support PQC algorithms — a necessary condition for the telemetry-reported adoption to continue rising.
Conclusion
Cloudflare’s presentation makes a clear analytic claim: post-quantum security has moved from theoretical risk to practical engineering challenge. The company reports large-scale key-exchange adoption in the wild, yet also documents concrete constraints — signature-size inflation and limited origin support — that will shape the pace of broader deployment. Organizations and federal agencies face a two-part task: update infrastructure to support hybrid PQC today, and redesign certificate and authentication systems (ML-DSA, MTCs) to preserve performance at internet scale. How rapidly that work completes will determine whether the “harvest now, decrypt later” window closes before future quantum capabilities arrive.




