Is your TLS ready
for post-quantum?
Classical RSA and EC cryptography will be broken by sufficiently large quantum computers. NIST published the first PQC standards in 2024. This scanner checks where a target site sits on the migration curve.
What gets checked
TLS Algorithm Audit
- Protocol: TLSv1.3 / 1.2 / 1.1 / 1.0 detected
- Cipher suite: AEAD (forward secret) vs legacy RSA key exchange
- Key bit strength: 256-bit EC vs 2048–4096-bit RSA
- Classical vs post-quantum algorithm comparison
- ALPN negotiation: HTTP/2 vs HTTP/1.1
- HTTP/3 Alt-Svc header detection
Certificate Analysis
- Chain depth (leaf + intermediates + root)
- Self-signed certificate detection
- Subject Alternative Names (SAN) list
- Signature algorithm: SHA-256/384 with RSA or EC
- PQC algorithm flag (CRYSTALS-Kyber, Dilithium)
- Days to expiry — alert if < 30 days
DNSSEC Status
- RRSIG resource record presence
- DNSKEY record presence
- Authenticated Data (AD) flag from resolver
- Zone signing status per domain label
- CAA record count and issuer list
PQC Readiness Score
- TLSv1.3 adoption (prerequisite for Kyber KEM)
- Certificate key type in NIST PQC shortlist
- DNSSEC as a DNS integrity layer
- Multi-year certificate rotation risk
- Vendor NIST PQC migration timeline flags
NIST PQC timeline
2022
NIST finalised PQC algorithm candidates: CRYSTALS-Kyber (KEM), CRYSTALS-Dilithium, FALCON, SPHINCS+.
2024
FIPS 203, 204, 205 published. Google Chrome and Cloudflare began Kyber hybrid TLS trials.
2025–26
Browser and CDN adoption accelerates. TLS 1.2 retirement timelines announced by major vendors.
2030 target
NSA CNSA 2.0 requires PQC algorithms for all classified national security systems.
Live scanner
Paste a URL above and hit Scan →
Quantum Readiness Scan · Instant scan returns in ~5 seconds