- Quantum computing threatens the cryptography behind HTTPS certificates
- Fake certificates expose users to monitoring risks
- Transparency logs help detect unauthorized certificate issuance quickly
Google has revealed plans to make HTTPS certificates resistant to future quantum computing attacks while keeping the internet usable.
Previous incidents, such as the 2011 DigiNotar hack that allowed 500 fake certificates to spy on web users, showed the risks of unverified certificates.
Today, browsers rely on public transparency logs, only attached accounts, to allow website owners to check in real time whether any certificates for their domains are illegitimate.
Preparing certificate transparency for the quantum era
The advent of quantum computers introduces new vulnerabilities to classical cryptography, as Shor’s algorithm, when effective, could forge digital signatures and crack keys in certificate logs, allowing attackers to trick a browser or operating system into accepting certificates that were never issued.
Google’s solution integrates post-quantum cryptographic algorithms such as ML-DSA.
“We see the adoption of MTCs and a quantum-resistant root store as a critical opportunity to ensure the resilience of the foundation of today’s ecosystem,” Google said in a blog post.
“By designing for the specific requirements of a modern, agile internet, we can accelerate the adoption of post-quantum resilience for all web users.”
This approach ensures that forgeries will only succeed if attackers broke both classical and quantum-resistant encryption at the same time.
The challenge is the size. Traditional X.509 certificate chains are about four kilobytes, small enough for browsers to handle them efficiently.
Quantum-resistant data can increase that by about 40 times, which can slow handshakes and affect devices behind firewalls or endpoint security systems.
Bas Westerbaan of Cloudflare explained: “The bigger you make the certificate, the slower the handshake and the more people you leave behind.”
If the process becomes too slow, users can disable the new encryption entirely. To reduce data overhead, Google and partners use Merkle Tree Certificates (MTCs).
This method condenses verification for millions of certificates into compact proofs. Certification authorities sign a single “Tree Head” and the browser receives a lightweight inclusion certificate.
This approach reduces transferred data to around 700 bytes, keeping operations smooth while maintaining transparency and security.
Chrome has already implemented MTCs, and Cloudflare is testing around 1,000 certificates to assess performance.
Over time, CAs will manage the distributed ledger themselves.
The Internet Engineering Task Force has formed a working group called PKI, Logs and Tree Signatures to coordinate standards.
Simply put, a combination of quantum-resistant certificates and MTCs aims to protect web users without breaking the browsing experience or compromising endpoint security.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
