QCready.com
From 20% to Full PQC-Readiness in 24 Hours: SSLBoard.com

From 20% to Full PQC-Readiness in 24 Hours: SSLBoard.com

The Quantum Clock is Ticking

When our team at SSLBoard ran our own domain through QCReady’s assessment tool, the results were sobering: 20% PQC readiness. While better than the industry average of 8.6% among the top million websites, it wasn’t enough. As a platform that helps security teams monitor TLS certificates at scale, we needed to practice what we preach about quantum preparedness.

The Challenge: Kubernetes Infrastructure Stuck in the Past

Our architecture was typical of many modern organizations: Kubernetes cluster with ingress-nginx handling TLS termination, cert-manager managing certificates. This setup, while reliable, had a critical flaw: it couldn’t easily support post-quantum cryptography. The path to PQC readiness meant:

  • Complex ingress-nginx upgrades with uncertain PQC support
  • cert-manager modifications to handle quantum-resistant algorithms
  • Potential downtime during the transition
  • No guarantee of full browser compatibility

The Breakthrough: Cloudflare Tunnel’s Hidden Superpower

We were already using Cloudflare for frontend hosting, but we discovered their Tunnel technology could completely bypass our PQC bottleneck. Here’s how we achieved 100% PQC readiness overnight:

Step 1: Deploy Cloudflare Tunnel

Instead of traditional ingress controllers, we configured Cloudflare Tunnel as our Kubernetes ingress replacement. The tunnel creates an encrypted outbound connection from our cluster to Cloudflare’s edge network.

Step 2: Automatic PQC Activation

Cloudflare’s edge already supports hybrid PQC key exchange using X25519MLKEM768 (the IETF-standardized combination of X25519 and ML-KEM-768). The moment we switched, all client connections automatically negotiated quantum-resistant handshakes.

Step 3: End-to-End Quantum Security

The tunnel itself uses PQC for cluster-to-Cloudflare communication, ensuring complete quantum protection across the entire data path.

The Results: Instant Transformation

We re-ran the QCReady assessment immediately after the switch:

  • Before: a mere 20% of our hosts were PQC-ready
  • After: 100% PQC readiness

The transformation was immediate and comprehensive. Chrome, Firefox, and other PQC-capable browsers now automatically negotiate hybrid key exchange with our domain.

Why This Matters: The 57% Problem

Recent F5 research shows that while 57.4% of browser-based transactions could support PQC, actual adoption among websites remains dismally low. Only 8.6% of the top million websites support PQC, with critical industries like healthcare (8.5%), finance (7.7%), and government (7.1%) lagging dangerously behind.

The Technical Magic: Hybrid Key Exchange

Cloudflare’s implementation uses the IETF-standardized X25519MLKEM768 hybrid key exchange. This approach combines traditional X25519 elliptic curve Diffie-Hellman with ML-KEM-768 (Kyber) quantum-resistant key encapsulation. The result is a 64-byte shared secret that’s protected against both current and future quantum threats.

Resource Efficiency Bonus

Beyond quantum security, the architectural change delivered unexpected benefits:

  • Zero inbound connections to our Kubernetes cluster
  • Reduced resource consumption (no ingress controller overhead)
  • Automatic certificate management (Cloudflare handles all renewals)
  • Global edge optimization (requests served from 300+ locations)

Your Path to 100% PQC Readiness

SSLBoard’s transformation proves that achieving quantum readiness doesn’t require complex infrastructure overhauls. If you’re using traditional ingress controllers or struggling with PQC implementation, consider these steps:

  1. Assess your current readiness using QCReady’s free tool
  2. Evaluate Cloudflare Tunnel as an ingress alternative
  3. Test the transition in a staging environment
  4. Monitor your PQC percentage post-implementation

The Bottom Line

In an era where “harvest now, decrypt later” attacks threaten long-term data confidentiality, SSLBoard’s overnight transformation from 20% to 100% PQC readiness demonstrates that quantum security is achievable today. The technology exists, the standards are established, and the implementation can be as simple as changing your ingress strategy.

Don’t wait for quantum computers to become a reality. Check your PQC readiness at qcready.com and take the first step toward quantum-secure communications.

SSLBoard is a certificate intelligence platform used by security teams to audit, monitor, and manage TLS certificates at scale. Learn more at sslboard.com

← Back to Blog