Here’s a number worth sitting with: more than half of all human web traffic is post-quantum encrypted right now. That’s not a forecast. It’s from Cloudflare Radar. And here’s the part that might surprise you — most organisations did absolutely nothing to get there. No migration project. No TLS stack upgrade. No settings to change. A single iOS update — iOS 26, released mid-September 2025 — moved the global share from 29% to 52% in about a week.
That shift tells you something important. The infrastructure has been ready for years. The clients just hadn’t caught up yet. Cloudflare had its server side sorted since October 2022. All it needed was scale — and iOS 26 delivered it.
So this article is a map of what’s already deployed. Which platforms have quietly post-quantum-encrypted your connections. What Microsoft has shipped for developers who need to go further. What tools you can use right now. And — crucially — where the line is between what you already have and what still needs deliberate work from your team.
The urgency driving all of this is the harvest now, decrypt later threat — adversaries capturing today’s encrypted traffic to decrypt once quantum computers arrive. This article is part of our series on why post-quantum cryptography cannot wait — that piece has the full picture on the threat. Here, we’re focused on the tooling.
Why Is More Than Half of All Web Traffic Already Post-Quantum Encrypted?
Short answer: Cloudflare deployed post-quantum hybrid TLS on its servers back in October 2022 and then just waited for the clients to catch up. iOS 26 provided most of that catch-up in a single week.
Since October 2022, every website and API served through Cloudflare over TLS 1.3 has supported post-quantum hybrid key exchange. Automatically. No certificate changes. No configuration tweaks. The server was ready; it just needed compatible clients on the other end.
iOS 26 changed that. When Apple shipped iOS 26 in mid-September 2025, every updated Apple device started advertising support for X25519MLKEM768 in every TLS 1.3 handshake. When a Cloudflare server sees that in the supported_groups extension, it negotiates the hybrid key exchange automatically.
Four days after iOS 26 launched, the global share of post-quantum-capable requests from iOS devices jumped from under 2% to 11%. In regions with high iOS market share — Kuwait, Puerto Rico — the effect was even sharper. Google Chrome had already contributed its share of client-side support; iOS 26 added the mobile volume that pushed the aggregate past 50%.
What does this mean in practice if you’re running a SaaS product behind Cloudflare? If your users are on iOS 26 or Chrome, those TLS connections to the Cloudflare edge are already hybrid post-quantum encrypted. You didn’t do anything to make that happen.
How Does Cloudflare Automatically Apply Post-Quantum TLS Without Any Configuration?
No toggle in the dashboard. No certificate to replace. No API call to make. Cloudflare enables X25519MLKEM768 by default on all TLS 1.3 connections at its edge. Clients that don’t support it fall back gracefully to classical key exchange. Nothing breaks.
If you want to verify it’s happening, on macOS Tahoe 26 the nscurl tool shows the negotiated key exchange group. Cloudflare Radar gives you per-domain PQC negotiation rates. And if you’re really keen, Wireshark shows the TLS identifier 0x11ec when X25519MLKEM768 is negotiated.
The thing most people miss is Cloudflare’s three-connections model. Any request to a Cloudflare-hosted service involves three distinct TLS sessions: visitor-to-Cloudflare-edge, Cloudflare’s internal connections, and Cloudflare-to-origin-server. Each one needs its own PQC migration.
The visitor-to-edge connection has been automatically post-quantum protected since October 2022. Cloudflare’s internal connections have been largely upgraded since September 2023. The Cloudflare-to-origin connection depends entirely on your origin server. If your origin hasn’t been updated, that last leg is still classical cryptography.
This is the gap platform-level PQC doesn’t close. Your users’ connections to Cloudflare are protected. The connection from Cloudflare to your origin may not be.
Full technical documentation: developers.cloudflare.com/ssl/post-quantum-cryptography.
What Is Hybrid Cryptography and Why Is X25519MLKEM768 the Right Pattern for the Transition?
The pattern you’ll see across Cloudflare, Apple, Microsoft, and the VPN ecosystem is hybrid cryptography — running a classical algorithm and a post-quantum algorithm in parallel within a single handshake, combining both outputs into one shared secret.
The security logic is straightforward: the session is secure if either component holds. If ML-KEM-768 turns out to have an unforeseen weakness, X25519 still provides classical protection. If X25519 is broken by a quantum computer, ML-KEM-768 covers you. Hybrid is the conservative engineering call for a transition period where post-quantum algorithms are standardised but not yet as battle-tested as decades-old classical ones.
ML-KEM is the NIST standard (FIPS 203) for the algorithm family previously known as CRYSTALS-Kyber. It’s a key encapsulation mechanism: the sender encapsulates a shared secret under the recipient’s public key; only the matching private key can decapsulate it. The “768” parameter set targets NIST security level 3, roughly equivalent to AES-192. You’ll see sources use both “Kyber” and “ML-KEM” — they’re the same thing. ML-KEM-768 was previously called Kyber768.
Key agreement is one of two TLS migrations you need to think about. The other is digital signatures, handled by ML-DSA (FIPS 204). Cloudflare is rolling out ML-DSA for authentication; Microsoft shipped ML-DSA APIs alongside ML-KEM in its November 2025 release. For a thorough breakdown of the NIST standards underlying these tools — including algorithm comparison tables and the mathematical intuition behind why lattice problems resist quantum attacks — that’s covered separately.
The design principle both Microsoft and NordVPN cite is cryptographic agility — building systems so algorithm choices can be swapped without re-engineering everything around them. The architecture behind hybrid key exchange goes deep on this if you want the full picture.
What Has Microsoft Shipped for Post-Quantum Cryptography in Windows Server 2025 and .NET 10?
In November 2025, via Windows Update KB5068861, Microsoft made ML-KEM and ML-DSA generally available on Windows Server 2025 and Windows 11 (versions 24H2 and 25H2). These are production-ready, fully supported APIs — not a preview, not experimental — built into the Cryptography API: Next Generation (CNG) library.
For Windows-native developers, CNG now exposes ML-KEM for key encapsulation and ML-DSA for digital signatures. Examples are at learn.microsoft.com/en-us/windows/win32/seccng/cng-mlkem-examples.
If your team runs Linux containers, .NET 10 has the same APIs in cross-platform form — the same PQC-enabled code runs on Windows or Linux without changes. Documentation is at learn.microsoft.com/en-us/dotnet/core/whats-new/dotnet-10/libraries#post-quantum-cryptography-pqc.
One gap remains worth flagging. Active Directory Certificate Services (ADCS) support for ML-KEM and ML-DSA certificate issuance is targeted for early 2026. Until then, internal certificate authorities can’t issue post-quantum-signed certificates. If you’re in FinTech or HealthTech managing regulated internal PKI, that ADCS timeline matters for your 2026 planning. The APIs to build with are available now — it’s just the internal CA piece that’s pending.
What Is age v1.3.0 and How Does It Give Developers Post-Quantum File Encryption Today?
age is an open-source file encryption CLI tool maintained by Filippo Valsorda — widely used as a simple, auditable alternative to GPG. Version 1.3.0 added native post-quantum recipients using the same hybrid pattern as Cloudflare and Apple: HPKE with ML-KEM-768 combined with X25519.
Post-quantum recipients use an age1pq1... address format. You generate a keypair with age-keygen -pq. Encrypting to a post-quantum recipient works exactly the same as standard age encryption — pass the recipient address and only the matching private identity can decrypt. That’s it.
age v1.3.0 is stable and appropriate for developer evaluation right now, and for non-regulated production file encryption — backups, secrets, configuration. If you’re in a regulated industry you’ll want to verify your compliance framework accepts the HPKE + ML-KEM-768 construction before going to production. Official repository: github.com/FiloSottile/age.
Worth a brief mention: Arcan 0.7.1 (December 2025) — a desktop environment — added ML-KEM to its forward-secrecy key ratcheting, explicitly as protection against collect-now-decrypt-later attacks. ML-KEM is becoming a standard engineering decision for security-conscious open-source projects. The tooling is moving fast.
Consumer VPNs Got There First: What NordVPN, Proton VPN, and ExpressVPN Have Already Deployed
Consumer VPN providers have moved ahead of most enterprise applications. NordVPN, Proton VPN, and ExpressVPN have all deployed post-quantum key exchange at scale. This is not pilots or previews — it’s production.
NordVPN has the most complete deployment. Since May 2025, NordVPN uses ML-KEM integrated into NordLynx — its WireGuard-based VPN protocol — with session keys rotating every 90 seconds. Users need to manually enable PQE in Settings > Connections; once enabled, it activates automatically for all NordLynx connections.
NordVPN’s next target is post-quantum authentication — the login phase, not just the tunnel. CTO Marijus Briedis: “I think it’s the beginning of cryptographic agility as a whole.” Even the leading PQC deployment still has deliberate work remaining.
Proton VPN began building an in-house PQC architecture in October 2025 with full rollout planned for 2026. ExpressVPN has integrated PQC into its Lightway protocol. The consumer VPN ecosystem has broadly made the move.
The foundational threat that makes this tooling adoption urgent covers the HNDL risk driving all of this.
What Does Your Stack Still Need You to Do Deliberately?
Platform-level PQC gets you part of the way. It does not cover everything. The distinction matters: Platform PQC happens automatically when you use updated infrastructure. Application-level PQC requires deliberate engineering from your team.
For organisations behind Cloudflare, the visitor-to-edge connection is covered. What remains:
- The Cloudflare-to-origin connection: Your origin server needs to support post-quantum key exchange. Cloudflare Tunnel (Zero Trust) lets you avoid updating each origin application individually.
- Internal service mesh and microservices: TLS between internal services is not touched by platform PQC. Each service’s TLS configuration needs deliberate migration.
- Data at rest: File encryption, database encryption, and backup storage are separate from TLS. age v1.3.0 covers the file encryption case for non-regulated contexts.
- Email encryption: SMTP and email security protocols are untouched by platform PQC.
- Certificate infrastructure: Until ADCS ships in early 2026, internal CAs can’t issue post-quantum-signed certificates. Plan for this if you run internal PKI.
Connections on TLS 1.2 or earlier aren’t covered either — Cloudflare’s automatic post-quantum support requires TLS 1.3 or HTTP/3.
The Microsoft CNG and .NET 10 APIs are where application-level PQC work begins today. The tooling is not the barrier.
For anything new you’re building, adopt cryptographic agility from the start. Don’t hard-code algorithm choices in ways that require re-engineering when recommendations change. Systems built with agility adapt; systems with hard-coded dependencies will need expensive rework.
The starting point is a cryptographic inventory — auditing every cryptographic dependency to map what is platform-protected versus what remains exposed. That’s Step 1. How these tooling choices fit into a structured migration roadmap is the natural next step.
Frequently Asked Questions
Is my website automatically post-quantum encrypted if I use Cloudflare?
Partially. The visitor-to-edge connection is hybrid post-quantum encrypted for iOS 26 and Chrome users, with no configuration required. The Cloudflare-to-origin connection is a separate TLS session — not automatically protected. That requires changes on your origin server or Cloudflare Tunnel.
Do I need to do anything to enable Cloudflare’s post-quantum TLS on my site?
No. Cloudflare enables X25519MLKEM768 by default on all TLS 1.3 connections. Documentation: developers.cloudflare.com/ssl/post-quantum-cryptography.
Which ML-KEM parameter set does Cloudflare use?
ML-KEM-768, combined with X25519 as X25519MLKEM768 (TLS identifier 0x11ec). ML-KEM-768 targets NIST security level 3, roughly equivalent to AES-192.
What exactly changed in iOS 26 that made post-quantum traffic jump from 29% to 52%?
iOS 26 added X25519MLKEM768 to the supported_groups extension in TLS 1.3 ClientHello messages. Because Cloudflare had supported this hybrid group since October 2022, every iOS 26 device immediately began establishing post-quantum connections to Cloudflare-hosted sites — no server-side change needed. A single OS update moved the aggregate share by more than 23 percentage points.
Is ML-KEM the same as Kyber?
Yes, with a terminology distinction. Kyber is the algorithm family that won the NIST competition; ML-KEM is the finalised standard (FIPS 203, August 2024). ML-KEM-768 was previously called Kyber768.
Can I use post-quantum cryptography in my .NET application today?
Yes. .NET 10 (generally available since late 2025) includes ML-KEM and ML-DSA APIs supported on Windows and Linux. Documentation: learn.microsoft.com/en-us/dotnet/core/whats-new/dotnet-10/libraries#post-quantum-cryptography-pqc.
Is age v1.3.0 ready for production file encryption?
age v1.3.0 is stable and widely used. The ML-KEM recipient feature uses a well-reviewed HPKE + ML-KEM-768 hybrid. It’s appropriate for developer evaluation and non-regulated production use. Regulated industries (FinTech, HealthTech) should verify compliance framework acceptance before production adoption.
Does NordVPN’s post-quantum encryption protect all my VPN traffic?
Since May 2025, all NordVPN applications use ML-KEM via NordLynx with 90-second session key rotation. Users must enable PQE manually in Settings > Connections. The authentication phase (login) is not yet post-quantum protected — that’s planned for H1 2026.
What is the “harvest now, decrypt later” threat?
HNDL is the threat model where adversaries capture and archive encrypted traffic today and store it until a capable quantum computer can break classical cryptography. Data encrypted today may already be in adversary archives. That’s why migration is urgent now — well before quantum computers actually exist.
How do I check whether my connections use X25519MLKEM768?
On macOS Tahoe 26, nscurl shows the negotiated key exchange group. Cloudflare Radar provides per-domain PQC rates at radar.cloudflare.com/post-quantum#browser-support. Wireshark shows the TLS identifier 0x11ec when X25519MLKEM768 is negotiated.
What is cryptographic agility and why does it matter for systems I build today?
Cryptographic agility is the design principle of building systems so algorithms can be swapped without re-engineering the application. NIST’s standards are finalised but the PQC ecosystem is still maturing. Systems with hard-coded algorithm choices will need expensive rework down the track. NordVPN CTO Marijus Briedis describes their PQC deployment as “the beginning of cryptographic agility as a whole.”
What comes after this for enterprise certificate infrastructure?
Microsoft’s ADCS is targeted to add ML-KEM and ML-DSA certificate issuance in early 2026. Until then, internal certificate authorities can’t issue post-quantum-signed certificates. FinTech and HealthTech organisations running regulated internal PKI should include the ADCS timeline in their 2026 planning.
