← Back
Cloudflare
Cloudflare Radar adds post-quantum origin monitoring, Key Transparency dashboard, and ASPA routing security insights
Cloudflare · featuresecurityapiplatform · blog.cloudflare.com ↗

Post-Quantum Encryption Monitoring Extends Beyond Client Connections

Cloudflare Radar previously tracked post-quantum (PQ) encryption adoption on client-to-Cloudflare connections, which has grown from under 3% at the start of 2024 to over 60% by February 2026. Today's update extends this monitoring to origin servers—the backend infrastructure that serves content not in Cloudflare's cache. The new origin post-quantum support graph measures what percentage of customer origins support the X25519MLKEM768 hybrid key exchange algorithm, which combines classical encryption with the NIST-standardized ML-KEM lattice-based post-quantum scheme.

Key findings:

  • Approximately 10% of origins currently support post-quantum key exchange—a 10x jump from less than 1% at the start of 2025
  • Data is collected via Cloudflare's automated TLS scanner, which daily probes TLS 1.3-compatible origins
  • Support is measured across the broader ecosystem, reflecting adoption by server libraries like OpenSSL 3.5.0+, GnuTLS 3.8.9+, and Go 1.24+

Developers can now check individual website post-quantum compatibility and view the full distribution of supported TLS key exchange methods in the Radar Data Explorer.

Key Transparency Dashboard for End-to-End Encrypted Messaging

Cloudflare has launched a new Key Transparency section on Radar that provides real-time visibility into the integrity of public key distribution for end-to-end encrypted messaging services like WhatsApp. The dashboard shows:

  • When each Key Transparency Log was last signed and verified by Cloudflare's Auditor
  • A public interface for anyone to monitor the integrity of key distribution
  • An API for independent validation of Cloudflare's Auditor proofs

This addresses a critical security transparency gap: verifying that messaging platforms are not silently issuing fraudulent keys to users.

Expanded Routing Security Insights for BGP Route Leak Prevention

The Routing Security section on Radar now includes global, country, and network-level data on ASPA (Autonomous System Provider Authorization) deployment. ASPA is an emerging standard that helps detect and prevent BGP route leaks—a routing vulnerability where traffic can be misdirected through unauthorized networks. This visibility helps network operators understand industry-wide adoption of this critical security standard.