You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/cloudflare-one/policies/gateway/http-policies/tls-decryption.mdx
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -97,6 +97,8 @@ You can still apply all [network policy filters](/cloudflare-one/policies/gatewa
97
97
98
98
Gateway supports post-quantum cryptography using a hybrid key exchange with X25519 and MLKEM768 over TLS 1.3. Once the key exchange is complete, Gateway uses AES-128-GCM to encrypt traffic.
99
99
100
+
Refer to [Post-quantum cryptography](/ssl/post-quantum-cryptography/) to learn more.
101
+
100
102
## FIPS compliance
101
103
102
104
By default, TLS decryption can use both TLS version 1.2 and 1.3. However, some environments such as FedRAMP may require cipher suites and TLS versions compliant with FIPS 140-2. FIPS compliance currently requires TLS version 1.2.
Copy file name to clipboardExpand all lines: src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx
+5-3Lines changed: 5 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,9 @@ Refer to the sections below to learn about the use cases supported by the Zero T
12
12
13
13
## Agentless Cloudflare Access
14
14
15
-
You can use [Cloudflare Access](/cloudflare-one/policies/access/)[self-hosted applications](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) in an agentless configuration to protect your organization's Internet traffic to internal web applications. Even if the applications themselves have not yet migrated to post-quantum (PQ) cryptography, they will be protected against quantum threats.
15
+
You can use [Cloudflare Access](/cloudflare-one/policies/access/)[self-hosted applications](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) in an agentless configuration to protect your organization's Internet traffic to internal web applications. Refer to the [learning path](/learning-paths/zero-trust-web-access/initial-setup/) for detailed guidance.
16
+
17
+
Even if the applications themselves have not yet migrated to post-quantum (PQ) cryptography, they will be protected against quantum threats.
16
18
17
19
.
18
20
@@ -28,15 +30,15 @@ If the user and origin server are geographically distant, then the user's traffi
28
30
29
31
**3. PQ Cloudflare Tunnel**
30
32
31
-
Customers establish a [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/) from their data center or public cloud — where their corporate web application is hosted — to Cloudflare's network. This tunnel is secured using TLS 1.3 with post-quantum key agreement, safeguarding it from harvest now, decrypt later attacks..
33
+
Customers establish a [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/) from their data center or public cloud — where their corporate web application is hosted — to Cloudflare's network. This tunnel is secured using TLS 1.3 with post-quantum key agreement, safeguarding it from [harvest now, decrypt later attacks](https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later).
32
34
33
35
Putting it together, Cloudflare Access can provide end-to-end quantum safety for accessing corporate HTTPS applications, without requiring customers to upgrade the security of corporate web applications.
34
36
35
37
## Secure Web Gateway
36
38
37
39
A [secure web gateway (SWG)](https://www.cloudflare.com/learning/access-management/what-is-a-secure-web-gateway/) is used to secure access to third-party websites on the public Internet by intercepting and inspecting TLS traffic.
38
40
39
-
[Cloudflare Gateway](/cloudflare-one/policies/gateway/http-policies/) is now a quantum-safe SWG for HTTPS traffic. As long as the third-party website that is being inspected supports post-quantum key agreement, then Cloudflare's SWG also supports post-quantum key agreement. This is true regardless of the on-ramp that you use to get to Cloudflare's network, and only requires the use of a browser that supports post-quantum key agreement.
41
+
[Cloudflare Gateway](/cloudflare-one/policies/gateway/http-policies/) is now a [quantum-safe SWG for HTTPS traffic](/cloudflare-one/policies/gateway/http-policies/tls-decryption/#post-quantum-support). As long as the third-party website that is being inspected supports post-quantum key agreement, then Cloudflare's SWG also supports post-quantum key agreement. This is true regardless of the on-ramp that you use to get to Cloudflare's network, and only requires the use of a browser that supports post-quantum key agreement.
40
42
41
43
.
0 commit comments