← Back
Cloudflare
Cloudflare Radar adds post-quantum monitoring for origins, Key Transparency dashboard, and ASPA routing insights
Cloudflare · featuresecurityplatform · blog.cloudflare.com ↗

New Post-Quantum Monitoring for Origin Connections

Cloudflare has extended its post-quantum (PQ) encryption tracking beyond client-to-Cloudflare connections to now include origin-facing connections. The company's automated TLS scanner probes origin servers for support of X25519MLKEM768, a hybrid key exchange combining classical X25519 with the lattice-based ML-KEM algorithm standardized by NIST. This new Radar graph visualizes the percentage of customer origins supporting post-quantum encryption.

The data reveals significant momentum: approximately 10% of origins now support post-quantum key agreements—a dramatic 10x increase from less than 1% at the start of 2025. This growth reflects widespread adoption of post-quantum support in server-side TLS libraries including OpenSSL 3.5.0+, GnuTLS 3.8.9+, and Go 1.24+. The Radar Data Explorer provides detailed breakdowns of all supported TLS key exchange methods by region and network.

Key Transparency Dashboard for Encrypted Messaging

A new Key Transparency section on Radar provides real-time visibility into the verification status of Key Transparency Logs used by end-to-end encrypted messaging services like WhatsApp. The public dashboard shows when each log was last signed and verified by Cloudflare's Auditor, with API access for independent validation of auditor proofs. This transparency tool allows anyone to monitor the integrity of public key distribution and verify that encryption keys haven't been tampered with.

Expanded Routing Security Insights

Cloudflare continues to expand its Routing Security coverage with new data on ASPA (Autonomous System Provider Authorization) deployment. The new metrics provide global, country-level, and network-level information about ASPA adoption—an emerging BGP security standard designed to detect and prevent route leaks that could redirect internet traffic maliciously.

What Developers and Operators Should Know

  • For origin operators: Check your TLS configuration to see if you support post-quantum encryption. If not, upgrading to recent versions of OpenSSL, GnuTLS, or Go will enable hybrid post-quantum support.
  • For Cloudflare customers: Use the new Radar tools to audit your origin infrastructure's post-quantum readiness and identify servers that could benefit from migration.
  • For security teams: The new Key Transparency dashboard and ASPA deployment insights provide actionable data for monitoring encrypted messaging integrity and BGP route security across your infrastructure.

All three monitoring tools are now live on Cloudflare Radar at radar.cloudflare.com.