Cloudflare Secures Majority of Internet Traffic with PQC

29 Oct 2025 – The Internet is quietly undergoing a massive cryptographic upgrade to resist quantum attacks – and as of October 2025, a major milestone was reached: over 50% of human web traffic through Cloudflare’s network is now protected with post-quantum encryption. Cloudflare, which operates one of the world’s largest content delivery and security networks handling a significant chunk of global internet traffic, announced that the “majority of human-initiated traffic” it processes is using quantum-resistant keys in the TLS (Transport Layer Security) protocol.

Practically, this means if you visit a website and your connection goes through Cloudflare (which many sites use), there’s a better than even chance that the HTTPS connection is secured by a hybrid classical/post-quantum key exchange – typically combining a conventional algorithm like X25519 with a post-quantum algorithm like Kyber. These hybrid TLS handshakes ensure that even if an adversary records the encrypted traffic now, they wouldn’t be able to decrypt it later with a quantum computer (the post-quantum component foils the “harvest now, decrypt later” attack).

This rapid adoption is striking. It was only in mid-2022 that NIST selected post-quantum algorithms, and by early 2023 Cloudflare and browser makers started testing them. Now, in late 2025, Cloudflare reports that broad support from browsers (like Chrome, Edge, and Firefox enabling PQC in TLS by default) and Cloudflare’s own rollout of hybrid key agreements have pushed quantum-safe connections over the 50% threshold. Essentially, if you’re using an up-to-date browser to a Cloudflare-protected site, chances are your connection is already quantum-secure without you noticing.

Cloudflare’s blog framed this as being “halfway to a fully post-quantum secure Internet”. It’s an important halfway point: the “easy half” is securing client-to-server traffic (human web browsing), because that mostly involves a few big players updating browsers and CDNs. The “hard half” will be things like internal API calls, legacy devices, email protocols, VPNs and so on that are slower to change. Still, getting the bulk of web page loads PQC-protected is a huge accomplishment in proactive security.

One might ask: how can you tell if a connection is using post-quantum TLS? Cloudflare provides a Radar site with metrics, and indeed in Chrome you can dig into the connection info to see if a Kyber or BIKE key exchange was used. The trend has been climbing steeply since early 2025, when Cloudflare made hybrid PQC key exchanges the default for all sites on its network (something they can do transparently at the edge).

For the average internet user, this milestone passed without fanfare – which is actually a triumph of good security UX. The strongest encryption was enabled and adopted largely in the background, without breaking things or slowing them down (the PQC algorithms are efficient enough that users don’t notice any difference). It stands in contrast to some past crypto upgrades (like the shift from HTTP to HTTPS or from SHA-1 to SHA-2) which were more visible and sometimes contentious. Here, necessity drove quick collaboration among industry and academia, given the ticking clock of quantum advancements.

Cloudflare’s initiative also extends to things like securing QUIC connections and DNS. Their message is clear: post-quantum cryptography is ready for prime time and already defending real-world data traffic. They emphasize that this is critical to stay ahead of threats: while quantum computers capable of breaking current crypto might be years away, the Internet’s information has to be safe against retrospective decryption (again the HNDL threat). With 50% down, the focus will turn to the remaining portions – getting enterprises to update TLS on their own servers, upgrading the myriad of IoT and embedded systems, and ensuring email encryption (PGP/SMIME, etc.) moves to PQC.

In summary, Cloudflare’s announcement is a bright spot of progress in cyber defense. It shows the ecosystem can respond to future threats in advance. Over half of the web’s traffic becoming quantum-resistant by 2025 is a big deal; it means when “Q-day” comes, at least the majority of web browsing won’t be low-hanging fruit. The task now is to bring along the rest, but for once, the defenders are a step ahead.