The attack
TLS encrypts traffic with a session key agreed through public-key cryptography — today, almost always elliptic-curve Diffie–Hellman. An adversary who records that traffic cannot read it now. But the recording, plus the key-exchange messages inside it, is enough: whenever a sufficiently large quantum computer exists, Shor's algorithm recovers the session key from the recorded handshake and the whole conversation opens up. Nothing needs to be broken today. The adversary just needs storage and patience.
That is "harvest now, decrypt later" (HNDL) — sometimes "store now, decrypt later". It reverses the usual security question. The right question is no longer "can anyone break this today?" but "will anyone be able to break this while the data still matters?"
Who actually needs to care
Honest answer: it depends entirely on the shelf life of the data.
- Long-life secrets — act now. Health records, legal and financial documents, government and defence traffic, intellectual property, journalists' sources. If it must stay confidential for ten or more years, traffic carrying it today is already exposed to HNDL.
- Credentials and session material — sooner than you'd think. Passwords and API keys captured today may well still be valid when decryption arrives.
- Short-life data — lower urgency, same destination. A price feed from today is worthless in 2035. But since the fix is a software upgrade the browsers have already made, there is little reason to be the slow half of the handshake.
A useful framing is Mosca's inequality: if x (years your data must stay secret) plus y (years your migration takes) exceeds z (years until a cryptographically relevant quantum computer), you are already late.
The timelines pushing this
- NIST finalised the ML-KEM, ML-DSA and SLH-DSA standards in August 2024, and its transition guidance (NIST IR 8547) deprecates classical public-key cryptography by 2030 and disallows it after 2035.
- The NSA's CNSA 2.0 suite requires US national-security systems to prefer post-quantum algorithms now and complete the transition by 2033.
- Browsers moved first: Chrome enabled hybrid post-quantum key exchange by default in April 2024; the other major browsers followed. A third or more of TLS 1.3 handshakes worldwide are already post-quantum.
- Infrastructure followed: OpenSSL 3.5 (the current long-term-support release) offers X25519MLKEM768 by default, and the big CDNs have supported it for years.
What to do about it
- Enable hybrid post-quantum key exchange (X25519MLKEM768) at your TLS edge — for most stacks it is one configuration line or a platform default. See how to enable post-quantum TLS.
- Don't wait for post-quantum certificates — identity can't be harvested retroactively, and no public CA issues them yet. Key exchange is the urgent half.
- Inventory long-life data flows (backups, replication links, site-to-site VPNs) — these are the classic HNDL targets nobody checks.
Check any domain in seconds with the post-quantum TLS test — it performs real pinned handshakes and tells you whether recorded traffic would survive a quantum computer.