You are using SSL Curve: X25519 which is not post-quantum secure.
This page preserves the live TLS result for the current browser connection and then explains what that result actually means.
| Host | pqc.s04d.com |
|---|---|
| TLS version | TLSv1.3 |
| Cipher suite | TLS_AES_256_GCM_SHA384 |
| Negotiated key exchange | X25519 |
| Underlying math | Elliptic-curve Diffie-Hellman over Curve25519 |
| Session key sent over the network? | No |
| Protects against passive sniffing today? | Yes |
| Better protected against future quantum attacks on the handshake? | No |
| Post-quantum component present? | No |
This page is not saying that the certificate alone is post-quantum secure. It is showing the key exchange negotiated for the current TLS session.
A TLS connection has two different security pieces:
That distinction matters. The certificate proves you are talking to the right server, but the session's post-quantum property comes mainly from the key exchange, not from the certificate by itself.
An attacker can capture the TLS handshake messages and the encrypted traffic, but the final session key is not sent in clear text over the network. The client and server derive it locally during the handshake.
The concern with future attacks is often called harvest now, decrypt later:
That is where a post-quantum or hybrid key exchange matters. The goal is that seeing the handshake should still not be enough to reconstruct the session key later.
Post-quantum TLS does not protect against endpoint compromise. If an attacker steals the live session key from browser or server memory, the session is already compromised. In that case, no quantum attack is needed.
So the security model is:
certificate + private key: server identitykey exchange: session confidentialitypost-quantum protection: resistance against future attacks on the handshakeendpoint security: still criticalThis is not real-world security. It is a tiny example meant to show the idea of how a shared secret can be created without sending that secret directly over the network.
| Public values | p = 23, g = 5 |
|---|---|
| Alice secret | a = 6 |
| Bob secret | b = 15 |
| Alice sends | A = 5^6 mod 23 = 8 |
| Bob sends | B = 5^15 mod 23 = 19 |
| Shared secret | Alice computes 19^6 mod 23 = 2, and Bob computes 8^15 mod 23 = 2 |
An attacker can sniff the wire and still only see the public values:
p = 23, g = 5A = 8B = 19The shared secret 2 was never sent directly. But because the numbers are tiny, the attacker can brute-force the private value by trying powers until they find 5^6 mod 23 = 8.
That is the core idea: the secret is not sent over the wire, but if the underlying math becomes easy enough to reverse, the attacker can still recover the shared secret from the public handshake data.
This is a teaching toy, not real security. It uses tiny numbers so you can see how a shared secret is created, what an attacker can sniff, and how a simulated Shor-style attack would recover the private value in a breakable toy example.
| Public values | p = 23, g = 5 |
|---|---|
| Alice sends | - |
| Bob sends | - |
| Shared secret | - |
| Encrypted message | - |
| What the attacker sees | - |
| Simulated Shor attack | - |
| Recovered message | - |
The attacker does not receive the shared secret directly. In this toy demo, they recover Alice's private value from the public handshake because the numbers are tiny. That is the intuition behind why a powerful quantum attack matters for discrete-log style systems.
Lattice-based schemes do not hide a secret scalar the same way elliptic-curve Diffie-Hellman does. Instead, they rely on a different kind of hard problem built from vectors, matrices, and structured noise.
| DH / ECC intuition | Alice and Bob hide a secret scalar. The attacker tries to recover that scalar from the public handshake values. |
|---|---|
| Lattice / PQC intuition | The secret looks more like a hidden vector or hidden combination inside a larger structure. The attacker is no longer solving the same discrete-log style problem. |
| Known major quantum threat | For elliptic-curve systems, the concern is Shor-type algorithms against problems like recovering the secret scalar k from a public point Q = kG. |
| Why PQC matters | For lattice-based systems, no equally devastating quantum algorithm is known today. That is why they are considered stronger candidates for post-quantum key exchange. |
This does not mean lattice-based cryptography is proven unbreakable. It means that, unlike factoring and discrete-log systems, we do not currently know a quantum attack of the same kind of impact.
Shor threatens public-key systems based on factoring and discrete logarithms, while Grover mainly affects brute-force search and symmetric-key sizing.
The post-quantum path is still trying to achieve the same goal: client and server end up with a shared session key without sending that key directly over the network.
The difference is that it does not rely only on the same classical math family as elliptic-curve Diffie-Hellman. In a hybrid result like X25519MLKEM768, one part is classical, and one part comes from a post-quantum construction.
So the practical point is not that one connection is encrypted and the other is not. Both are encrypted. The point is that if an attacker records the handshake today and tries to break it later, the hybrid path forces them to deal with more than just the classical part.
This is why the page says the hybrid path is better protected against future quantum attacks on the handshake.