Alberto Roura

Building the (maybe) First Public PQC Checker Tool

- 03 September 2025 - 8 mins read

Hola! I’ve been working on something for a while now and I’m actually happy I’ve finally released it: a free, public tool to check if any domain supports Post-Quantum Cryptography (PQC). You can try it right now at the QuReady Free Domain PQC Checker.

Why am I excited? Because as far as I know, this is the first public tool of its kind that accurately detects PQC support using real TLS handshake analysis. Let me tell you how it works and why it matters.

The Quantum Threat is Real (and Immediate)

Most people think quantum computers breaking encryption is a distant future problem. But here’s the thing: the threat is happening right now.

There’s this concept called “Harvest Now, Decrypt Later” attacks. Hackers are already collecting encrypted data today, storing it, and waiting for quantum computers powerful enough to decrypt it. Your sensitive data from 2025 could be exposed in a few years when quantum computers become available.

That’s why organizations like NIST, NSA, and the EU are pushing for immediate PQC adoption. In fact, NIST published the first set of post-quantum cryptographic standards in August 2024, and the world is slowly (very slowly) starting to migrate.

But here’s the problem: how do you know if a domain is quantum-safe?

The Technical Challenge

Detecting PQC support isn’t straightforward. You can’t just check if a server supports TLS 1.3, as classical cryptography and quantum-resistant cryptography can both use TLS 1.3.

The real detection happens at the key exchange level. Modern PQC implementations use hybrid algorithms like:

  • X25519MLKEM768: Combines classical X25519 with ML-KEM-768 (the NIST-standardized version of Kyber)
  • SecP256r1MLKEM768: Uses NIST’s P-256 curve with ML-KEM-768
  • Pure ML-KEM: ML-KEM-512, ML-KEM-768, or ML-KEM-1024

To detect these, you need to:

  1. Perform a TLS 1.3 handshake with the target domain
  2. Inspect the negotiated key exchange group
  3. Check if it’s a PQC or hybrid algorithm

This requires bleeding-edge OpenSSL versions with native PQC support. That’s where things get interesting.

Real-World Results

I’ve been testing this tool against major websites, and the results are fascinating:

PQC-Enabled Domains:

  • Cloudflare: X25519 + ML-KEM-768
  • Google: X25519 + ML-KEM-768
  • Facebook: X25519 + ML-KEM-768

No PQC Support (Yet):

  • Amazon: Classical cryptography only
  • Most banks: Still vulnerable to quantum attacks
  • Many government sites: Slow to migrate

This tells us that even tech giants are not ready for the migration, regulated industries like finance and government are lagging behind, and all combined is concerning given they handle the most sensitive data.

Try It Yourself

Head over to the Free Domain PQC Checker and test any domain. The tool is:

  • Free: No signup, no credit card, no tracking
  • Fast: Results in under 3 seconds
  • Accurate: Uses real TLS handshake analysis
  • Educational: Explains what PQC is and why it matters

Try checking your bank, your company’s website, or your favorite tech services. You might be surprised by what you find. And of course, if you find the lack of PQC concerning, you can always reach out to them so they can migrate to a quantum-safe solution.

Why This Matters for Engineers

As engineers, we’re often asked to implement security measures without understanding the threat landscape. This tool helps you:

  1. Assess your infrastructure: Check if your CDN or hosting provider supports PQC
  2. Educate stakeholders: Show them real data about quantum readiness
  3. Plan migrations: Understand which services need upgrading
  4. Track industry trends: See who’s leading and who’s lagging

If you’re responsible for security at your organization, I’d recommend running this check against all your critical domains. If they don’t support PQC yet, it’s time to start planning your migration.

What’s Next

I’m planning to add several features:

  • Historical tracking: Monitor domains over time to see when they enable PQC
  • Bulk checking: Upload a CSV and check hundreds of domains at once
  • API access: Let developers integrate PQC checks into their workflows
  • Notifications: Get alerts when a domain enables or disables PQC

The Bigger Picture

Building this tool has taught me something important: we’re at a pivotal moment in cryptography history. Just like we moved from HTTP to HTTPS, we’re now moving from classical to quantum-resistant cryptography. The difference is that this transition is being driven by a threat that doesn’t exist yet, but data is being harvested today.

The organizations that migrate early will be protected. Those that wait might find their historical data exposed when quantum computers become powerful enough.

As engineers, we have a responsibility to understand these transitions and guide our organizations through them. Tools like this PQC checker are just the beginning. The best time to implement PQC was yesterday. The second best time is today.

Share: Link copied to clipboard

Tags:

Previous: Offline Knowledge with Kiwix Zim and Docker Model Runner
Next: Dockback - Reverse-Engineering Dockerfiles from Images

Where: Home > Technical > Building the (maybe) First Public PQC Checker Tool