- Quantum computing threatens the cryptography behind HTTPS certificates
- Fake certificates expose users to surveillance risks
- Transparency logs help detect unauthorized certificate issuance quickly
Google has revealed plans to make HTTPS certificates resistant to future quantum computer attacks while keeping the internet usable.
Past incidents, such as the 2011 DigiNotar hack, which allowed 500 fake certificates to spy on web users, showed the risks of unverified certificates.
Today, browsers rely on public transparency logs, append-only ledgers, to allow website owners to check in real time whether any certificates for their domains are illegitimate.
Preparing certificate transparency for the quantum era
The advent of quantum computing introduces new vulnerabilities to classical cryptography, as when effective, Shor’s algorithm could forge digital signatures and break keys in certificate logs, allowing attackers to trick a browser or operating system into accepting certificates that were never issued.
Google’s solution integrates post-quantum cryptographic algorithms such as ML-DSA.
“We view the adoption of MTCs and a quantum-resistant root store as a critical opportunity to ensure the robustness of the foundation of today’s ecosystem,” Google said in a blog post.
“By designing for the specific demands of a modern, agile internet, we can accelerate the adoption of post-quantum resilience for all web users.”
This approach ensures that forgeries would succeed only if attackers broke both classical and quantum-resistant encryption at the same time.
The challenge is size. Traditional X.509 certificate chains are about four kilobytes, small enough for browsers to handle efficiently.
Quantum-resistant data can increase that by roughly 40 times, which could slow handshakes and affect devices behind firewalls or endpoint security systems.
Bas Westerbaan of Cloudflare explained, “The bigger you make the certificate, the slower the handshake and the more people you leave behind.”
If the process becomes too slow, users could disable the new encryption entirely. To reduce data overhead, Google and partners use Merkle Tree Certificates (MTCs).
This method condenses verification for millions of certificates into compact proofs. Certification Authorities sign a single “Tree Head,” and the browser receives a lightweight inclusion proof.
This approach reduces transmitted data to around 700 bytes, which keeps operations smooth while maintaining transparency and security.
Chrome has already implemented MTCs, and Cloudflare is testing roughly 1,000 certificates to assess performance.
Over time, Certification Authorities will manage the distributed ledger themselves.
The Internet Engineering Task Force has formed a working group called PKI, Logs, and Tree Signatures to coordinate standards.
In simple terms, combining quantum-resistant certificates and MTCs aims to protect web users without breaking the browser experience or compromising endpoint security.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.