Ask HN: TLS 1.3 and Post-Quantum Encryption for HN?
Could HN benefit from a TLS upgrade, as it's currently at TLS v1.2, (not e.g.: v1.3) (for me, at least)? Also could it benefit from being a leader in implementing post-quantum cryptography?
Cloudflare is beginning to implement it: https://pq.cloudflareresearch.com (See cloudflare blog posts about it, too for many more details)..
12 comments
[ 1.5 ms ] story [ 40.0 ms ] threadMaybe the cert issuing chain needs to be looked at for its risks but I can't see the site certificate itself being at risk.
I mean I am glad cloudflare and others are showing capability but my highly broken foot gun of futurology says to me, this is a fools errand. I've been wrong many many times.
HN is using Let's Encrypt, and so are about a third to half the sites on the internet at this point. If there's an issue with Let's Encrypt, the people on/running this site would know.
https://community.letsencrypt.org/t/preparing-for-quantum-sa...
Like I said, more frequent certificate reissuance probably covers it. It would be changing a timing parameter in the config and resetting some options in an orderly upgrade not a massive lift and drag to another place.
https://letsencrypt.org/2024/12/11/eoy-letter-2024/
As with any donation-supported venture, their ability to consider “someday” concerns is directly tied to donations and sponsorships. Reading between the lines of the recent revocation shutdown, I estimate their operating budget does not have room to consider PQC, when they have more pressing concerns to focus on.
So, their disinterest in PQC does not likely inform on whether others should do PQC or not; to each their own risk assessments, etc.
That said, HN could use an update in configuration (disable TLS 1.0 and 1.1 and CBC ciphers, enable TLS 1.3): https://www.ssllabs.com/ssltest/analyze.html?d=news.ycombina...
I get it, new crypto algorithms are cool, but these just aren't widely implemented in browsers or servers yet, and we're still several years out from a quantum computer breaking 2048 bit RSA or 256 bit ECDSA.
Worth a read: https://blog.cloudflare.com/nists-first-post-quantum-standar...
Google: https://cloud.google.com/security/resources/post-quantum-cry...
Various interesting Cloudflare blog posts here: https://blog.cloudflare.com/tag/post-quantum/
I think that it is absolutely worth researching post quantum cryptography, and if you are a high value target, maybe even using it. But it probably isn't necessary to use it everywhere yet.
1. https://cloud.withgoogle.com/cloudsecurity/podcast/ep164-qua...
2. https://blog.google/technology/research/google-willow-quantu...