Harvest now, decrypt later

The quantum threat isn't in the future — the recording is happening now.

The attack

TLS encrypts traffic with a session key agreed through public-key cryptography — today, almost always elliptic-curve Diffie–Hellman. An adversary who records that traffic cannot read it now. But the recording, plus the key-exchange messages inside it, is enough: whenever a sufficiently large quantum computer exists, Shor's algorithm recovers the session key from the recorded handshake and the whole conversation opens up. Nothing needs to be broken today. The adversary just needs storage and patience.

That is "harvest now, decrypt later" (HNDL) — sometimes "store now, decrypt later". It reverses the usual security question. The right question is no longer "can anyone break this today?" but "will anyone be able to break this while the data still matters?"

Who actually needs to care

Honest answer: it depends entirely on the shelf life of the data.

A useful framing is Mosca's inequality: if x (years your data must stay secret) plus y (years your migration takes) exceeds z (years until a cryptographically relevant quantum computer), you are already late.

The timelines pushing this

What to do about it


Check any domain in seconds with the post-quantum TLS test — it performs real pinned handshakes and tells you whether recorded traffic would survive a quantum computer.

Related guides