- Surfshark has integrated post-quantum cryptography (PQC) into WireGuard
- PQC protection is enabled by default on macOS, Linux, and Android
- Surfshark warns that only 8% of popular apps are quantum-safe
Surfshark has implemented post-quantum cryptography (PQC) within its WireGuard protocol, aiming to bolster user data protection against potential breaches by quantum computers.
This enhancement positions Surfshark as one of the top VPNs available, adding an additional security layer to WireGuard’s existing elliptic-curve-based encryption with a next-generation method capable of safeguarding data even against quantum threats.
The new protection is automatically enabled on WireGuard for macOS, Linux, and Android, with Surfshark planning to extend support to iOS and Windows shortly.
How does it work?
According to Donatas Budvytis, CTO at Surfshark, this new implementation does not replace the original WireGuard cryptography but adds a quantum layer on top, functioning within the VPN tunnel through an additional custom service.
Since WireGuard's initial handshake is not PQC-protected, the process involves a two-step handshake: first, traditional Curve25519 encryption, followed by PQC using the latest lattice-based ML-KEM algorithm. Budvytis notes, "The system derives a final encryption key by combining secrets from both layers."
Surfshark did not alter the WireGuard protocol as it already utilized the original Pre-Shared Key (PSK) mechanism for data authentication. This integration ensures backward compatibility, allowing secure data transmission through secure keys generated during the handshake phase.
While past sessions cannot be secured, future sessions remain fortified even if a quantum computer targets them later. Budvytis adds, "Users might feel safer knowing that their VPN sessions are future-proof; even if the encryption keys are stolen, they cannot be used to decrypt past traffic."
Readiness in the post-quantum world
As Surfshark continues to enhance its encryption system, the company is also urging businesses and governments to improve preparedness by increasing training and implementing advanced security measures in an increasingly imminent post-quantum landscape.
Although the capabilities of quantum computers are still limited, Surfshark warns that they could soon become powerful enough to breach current encryption systems, potentially cracking codes in hours that would take traditional computers years to solve.
The significant risk lies in hackers who steal large amounts of encrypted data today, as they could easily unlock and access it once quantum computers become available. This phenomenon, termed 'Harvest now, decrypt later', poses a latent threat to data believed to be secure today.
A recent study by Surfshark analyzed 40 of the most popular apps across banking, shopping, social media, and messaging sectors, revealing that only 8% are currently quantum-resistant.
Approximately 65% of the analyzed apps lack public information regarding their PQC adoption plans, while only 30% of the app developers are conducting research or planning to become quantum-resistant.
This issue is critical, as upgrading security on your VPN only addresses part of the problem. Budvytis explains, "Imagine someone making a bank transfer. Even if you use a VPN with post-quantum protection that encrypts the entire process, your data remains vulnerable if the bank itself lacks similar protection. This could lead to significant financial losses for both the individual and the bank."
TikTok was identified as the only social media app currently quantum-resistant. Messaging apps are the most prepared category, with Google, the owner of Google Messages, and Meta, the owner of WhatsApp and Messenger, taking proactive steps to shield themselves from quantum threats.
Surfshark joins other VPN services that have already adopted secure quantum encryption, including Mullvad, ExpressVPN, and NordVPN, with the latter recently announcing its ongoing efforts to implement quantum protection in its login phase. A new era in VPN security is dawning.