Cloudflare, one of the Internet’s biggest content delivery networks, said it will now provide post-quantum cryptography (PQC) for free by default to all of its customers to help secure their websites, APIs, cloud tools, and remote employees against future threats.
The move follows a beta program, also free, that Cloudflare announced last year. Offering PQC for free is not exactly out-of-character for the companies, as it noted in a blog post that it has provided secure socket layer security for free since 2014. However, the announcement comes very early in the evolution of the PQC market, so it will be interesting to see how the product and service strategies of other companies and the overall economics of PQC are affected by this move.
“We have a proud history of taking paid encryption products and launching it to the Internet at scale for Free,” the blog states. “Even at the cost of short and long-term revenue because it’s the right thing to do.
The blog post, contributed by Wesley Evans and Bas Westerbaan of Cloudflare Research, goes on to take a shot at companies that see PQC as a way to “cash in” on security fears:
“As we have worked with our partners in both industry and academia to help prepare us and the Internet for a post-quantum future, we have become dismayed by an emerging trend. There are a growing number of vendors out there that want to cash in on the legitimate fear that nervous executives, privacy advocates, and government leaders have about quantum computing breaking traditional encryption. These vendors offer vague solutions based on unproven technologies like ‘Quantum Key Distribution’ or ‘Post Quantum Security’ libraries that package non-standard algorithms that haven’t been through public review with exorbitant price tags like RSA did in the 1990s. They often love to throw around phrases like “AI” and “Post Quantum” without really showing their work on how any of their systems actually function. Security and privacy are table stakes in the modern Internet, and no one should be charged just to get the baseline protection needed in our contemporary world.”
Cloudflare’s PQC capability leverages the Crystals-Kyber algorithm, the pending PQC standard from the National Institute of Standards and Technology. In a separate blog post, the company defended the algorithm from a recent research claim that suggested vulnerability to side-channel attacks. That research, many in the sector believe, has been widely misinterpreted.
A separate press release touted Cloudflare’s leadership in the PQC segment, saying that the company believes that more than 99% of websites on the Internet that already support NIST-approved PQC for their connections are powered by Cloudflare, and that more than 1 billion HTTP requests have been protected with PQC by Cloudflare since 2019.
Dan O’Shea has covered telecommunications and related topics including semiconductors, sensors, retail systems, digital payments and quantum computing/technology for over 25 years.