Half the Internet Is Already Quantum-Proof. The Other Half Has Until 2030.
Over 50% of Cloudflare's human web traffic now uses post-quantum encryption. NIST will deprecate RSA-2048 by 2030 and ban it entirely by 2035. The largest cryptographic migration in history is halfway done β and most companies haven't started.
Fifty-three percent.
That's the share of human-initiated web traffic flowing through Cloudflare's network that was protected by post-quantum key exchange as of October 2025. Not theoretically protected. Not on a roadmap. Actually encrypted with ML-KEM-768 (formerly Kyber), piggybacking on a hybrid handshake alongside classical X25519 β so if either algorithm fails, the other still holds.
You didn't notice. That's the point.
While most of the cybersecurity industry was still debating when "Q-Day" might arrive β the moment a quantum computer can factor a 2048-bit RSA key in hours instead of centuries β the browser vendors and CDN operators quietly made it irrelevant for the majority of web browsing. Chrome enabled post-quantum TLS by default. Firefox followed. Edge followed. Cloudflare flipped the switch for every site on its network. The adoption curve went from 2% to 53% in roughly eighteen months.
The NIST Ultimatum
In November 2024, NIST published IR 8547 β the document that put a countdown clock on classical cryptography. Two dates matter:
| Deadline | What Happens | What It Means |
|---|---|---|
| 2030 | RSA-2048 and ECC-256 officially deprecated | New systems must not use them |
| 2035 | Completely disallowed | Legacy systems must have migrated or gone dark |
Three standards finalized in August 2024 form the replacement stack: FIPS 203 (ML-KEM, for key exchange), FIPS 204 (ML-DSA, for digital signatures), and FIPS 205 (SLH-DSA, a hash-based fallback signature). An eight-year standardization process that started in 2016 with 82 candidate submissions ended with three winners and a clear migration path.
Three years and nine months until deprecation. Not from the announcement β from now.
The Scoreboard No One Published
Here's who's actually deployed post-quantum cryptography β not announced, not piloted, deployed:
| Who | What They Did | When | Users Covered |
|---|---|---|---|
| Cloudflare | Hybrid PQ TLS for all sites on network | Early 2025 | ~20% of all websites |
| Chrome/Edge | ML-KEM in TLS 1.3 enabled by default | 2024 | ~3.5B browser installs |
| Firefox | Hybrid PQ key exchange default | 2025 | ~180M users |
| Signal | PQXDH protocol (X25519 + Kyber-1024) | Sept 2023 | ~40M users |
| Apple iMessage | PQ3 protocol (Kyber-1024, ratcheting) | March 2024 | ~1.8B devices |
| AWS | Hybrid PQ TLS for KMS and ACM | 2024 | Millions of API endpoints |
Signal was first β September 2023, before NIST even published the final standards. Apple followed six months later with PQ3, which does something Signal doesn't: periodic post-quantum rekeying, so even if a single key is compromised, future messages stay safe. These two messaging platforms alone cover roughly 1.84 billion devices with quantum-resistant encryption.
The pattern is clear. Consumer-facing products moved fast. Enterprise infrastructure has barely moved at all.
Harvest Now, Decrypt Later
The reason everyone is rushing: your encrypted data may already be stolen.
CISA, the NSA, and the FBI have all issued public warnings about "Harvest Now, Decrypt Later" (HNDL) campaigns. State-level adversaries are intercepting and storing encrypted traffic today β diplomatic cables, corporate R&D, financial transactions, health records β banking on the assumption that quantum computers capable of decrypting it will exist within 10-15 years.
The math is uncomfortable. If you're a pharmaceutical company and your encrypted R&D data has a commercial value window of 20 years, and a nation-state captured that data in 2023, and a cryptographically relevant quantum computer arrives by 2033 β they get a decade of use out of your stolen secrets. The encryption you trusted was never broken. It just has an expiration date nobody told you about.
This isn't speculative. The Chinese Salt Typhoon campaign β which compromised major US telecommunications providers in late 2024 β intercepted both metadata and encrypted content from networks carrying government and corporate traffic. Whether the encrypted content was specifically targeted for future quantum decryption is unknowable from the outside. But the collection capability is documented.
The Hard Half
Cloudflare's 53% sounds impressive. It is. But it's the easy half.
Web browser TLS required changes from maybe five organizations β Google, Mozilla, Apple, Microsoft, and Cloudflare. They update billions of endpoints with a single software release. Server-side, Cloudflare handles the termination at the edge, so the actual origin servers don't need to change at all.
Everything else is a slog.
Internal API calls. VPN tunnels. SSH keys. Database connections. SCADA systems in power plants running firmware from 2014. Medical devices with hardcoded certificates. IoT sensors with no update mechanism. Email encryption (S/MIME, PGP) that nobody has even started migrating. Code signing certificates embedded in a decade of deployed software.
The enterprise migration is where the pain concentrates. A 2024 Keyfactor survey found that 57% of organizations haven't started their PQC migration. Not "haven't finished" β haven't started. The median large enterprise has over 300,000 machine identities (certificates, keys, tokens) spread across systems managed by different teams, vendors, and decades of accumulated technical debt.
Microsoft has already signaled that Active Directory Certificate Services β which undergirds identity management for most Fortune 500 companies β won't have a clean PQC migration path without significant redesign. If you're running AD CS, you're probably going to be doing manual surgery on your PKI.
Y2Q vs Y2K
The comparison is inevitable. Y2K cost an estimated $600 billion globally to remediate, and it had a single, immovable deadline that concentrated minds wonderfully. Y2Q (or Q-Day, or the quantum apocalypse β the naming hasn't converged) is harder for three reasons:
One: the deadline is soft. NIST says 2030/2035, but the actual threat materializes whenever someone builds a cryptographically relevant quantum computer. That could be 2032. It could be 2040. The uncertainty makes it psychologically easy to defer.
Two: Y2K was a find-and-replace problem. Two-digit years to four-digit years. Post-quantum migration touches cryptographic primitives embedded at every layer of the stack, from TLS certificates to firmware signing to database encryption at rest. There's no grep for this.
Three: the consequences are invisible until they're catastrophic. Y2K had a theatrical quality β planes might fall from the sky! ATMs might stop working! PQC failure looks like nothing at all until, one day, someone decrypts ten years of your intercepted traffic simultaneously.
The Bottom Line
The Internet is being re-encrypted in real time. Over half of web traffic is already quantum-safe. Your Signal messages are quantum-safe. Your iMessages are quantum-safe. Google, Cloudflare, and AWS moved without asking your permission or your IT department's.
The consumer Internet will be fine. The enterprise Internet β the internal systems, the legacy infrastructure, the 300,000 certificates nobody has inventoried β that's where the 2030 deadline is going to hurt. If your organization hasn't at least conducted a cryptographic inventory, you're already behind. The quantum computer that breaks RSA doesn't need to exist yet. The data being harvested today does.
Sources
- Cloudflare, "State of the post-quantum Internet in 2025" (October 2025) β 53% of human traffic using PQ key exchange
- NIST, IR 8547: Transition to Post-Quantum Cryptography Standards (November 2024) β RSA-2048 deprecation by 2030, disallowed by 2035
- NIST, Post-Quantum Cryptography Project β FIPS 203, 204, 205 finalized August 2024
- Signal Foundation, "PQXDH: Post-Quantum Extended Diffie-Hellman" (September 2023)
- Apple Security Research, "iMessage with PQ3" (March 2024)
- PQShield, "The new NIST standards are here: what does it mean for PQC?" (2025)
- Sectigo, "NIST's bold move towards Post-Quantum Cryptography" (December 2024)
- Cryspen, "An Analysis of Signal's PQXDH" β formal verification of Signal's PQ protocol
- CISA, FBI, NSA β joint advisory on "Harvest Now, Decrypt Later" campaigns (multiple 2024-2025 advisories)
- Post Quantum Inc., "Harvest Now, Decrypt Later" β HNDL campaign analysis