While threats continue to ramp up and security efforts struggle to keep pace, a more existential technological challenge looms: the potential for quantum computing to undermine current public-key cryptography. Understanding the gravity of not meeting this danger when it arises, the industry is beginning preparations now, although large-scale quantum computers are not yet operational. As part of a broader long-term transition, Google has announced a new experiment in Chrome to secure HTTPS certificates against quantum computing.
Why TLS Certificates Are the Front Line of Internet Security
Transport Layer Security (TLS) and Hypertext Transfer Protocol Secure (HTTPS) are two widely adopted measures that play major roles in securing modern internet traffic. HTTPS, the secure version of HTTP, loads web pages while encrypting the data that is exchanged between the website and the browser. HTTPS protects data from being intercepted by attackers, relying solely on TLS encryption rather than deprecated Secure Socket Layer (SSL) versions.
TLS is an improvement over the previously dominant SSL protocol that enables secure connections. Digital certificates authenticate websites through a TLS handshake using a public key. Unfortunately, this infrastructure is not equipped to stand up to quantum computing as it matures, demanding an evolution of TLS capability in order to be adequately prepared for the quantum age.
Google’s Experimental Integration in Chromium
Chromium is the Google-led open-source project that provides the foundation for most modern browsers, including not only Chrome, but also Microsoft Edge, Opera, and Brave. Google Chrome’s experimental flags allow users to test beta features like the new quantum-safe TLS certificates. Supporting the testing of unreleased features enables the evaluation of performance, compatibility, and interoperability with existing systems.
The Role of NIST in Standardizing Post-Quantum Cryptography
The United States National Institute of Standards and Technology (NIST) has an ongoing effort toward post-quantum cryptography standardization, with the first set of standards released in August 2024. Known as Federal Information Processing Standards (FIPS), these standards outline post-quantum encryption and digital signature algorithms for continued secure communication.
Key encapsulation mechanisms (KEMs) and digital signature schemes are consistently being evaluated and standardized in an effort to prepare for quantum threats. Industry implementations by leading companies like Google help to validate and refine the standards set forth by NIST, putting them to the test and finding the weak points in advance of when this technology is fully necessary.
Why the Transition to Quantum-Safe Security Will Take Years
Sufficiently protecting against the coming quantum computing threat is a complex, deeply involved process, demanding the replacement of global cryptographic infrastructure. “Current web PKI uses classical signatures measured in tens of bytes, while quantum-resistant equivalents like ML-DSA run to a few kilobytes each,” says Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs. “Applied naively across every certificate chain and TLS handshake, that size increase would slow down page loads and push users to turn off the protection entirely.”
This challenge requires the development of new techniques like Google’s Merkle Tree Certificates (MTCs), which use a much more lightweight certification process to enable scalable implementation of post-quantum readiness. The transition raises compatibility challenges across browsers, servers, operating systems, and certificate authorities, demanding significant investment of time and resources. Preparing for the era of quantum computing threats demonstrates the need for gradual testing and hybrid cryptography during the transition period.
What This Means for Security Leaders and Developers
It is important for defenders and tech experts to start taking steps now to equip for the quantum age before it arrives in full force. “A cryptographically relevant quantum computer does not exist yet, but the harvest now, decrypt later model means traffic being recorded today could be exposed in the future,” says Krell. Organizations should begin inventorying cryptographic dependencies today in order to ease the transition and ensure preparation for computing threats to come.
Crypto-agility is a defining factor in online security now and moving forward, requiring systems that can swap algorithms quickly to defend against quantum-enabled dangers. Early experiments like Google’s effort can provide valuable insight into the technical aspects of how to carry out the transition, including highlighting the difficulties and enabling troubleshooting.
Preparing for a Post-Quantum Internet
The cryptography currently available remains secure today, but is not sufficient to protect against the quantum computing threats that are coming in the future. The scale and complexity of transitioning to post-quantum cryptography make it a significant effort, and proactive experimentation now can help to reduce risk later by preempting some of the challenges that are sure to arise. This effort on the part of Google is part of a broader industry shift toward quantum-resilient security as leading experts and companies realize the need for preparation.
