New: Post-Quantum Cryptography tools — is your domain quantum-safe? Check now
EP Cybertools Logo EP Cybertools
Domain Analysis PQC Checker TLS Inspector

Domain PQ Encryption Status

Analyze any domain's encryption configuration, TLS setup, and post-quantum cryptography readiness. Get actionable security insights.

CheckmarkAnimated checkmark icon What You Need to Know

What This Tool Does

This analyzer performs a comprehensive security audit of a domain's encryption capabilities. It examines the TLS/SSL certificate, evaluates cipher suite configurations, checks for post-quantum cryptography support, and assesses vulnerability to quantum computer attacks. The tool provides a compliance score based on current best practices and NIST PQC standards, helping you understand your domain's quantum readiness.

Key Checks Performed

  • CheckmarkAnimated checkmark icon Certificate algorithm analysis (RSA, ECDSA, or PQC)
  • CheckmarkAnimated checkmark icon TLS version verification (1.2, 1.3, or experimental PQC)
  • CheckmarkAnimated checkmark icon Cipher suite security assessment
  • CheckmarkAnimated checkmark icon Post-quantum algorithm support detection
  • CheckmarkAnimated checkmark icon Quantum computer break-time estimation
  • CheckmarkAnimated checkmark icon Migration recommendations and compliance scoring

Understanding Results

  • ArrowAnimated arrow icon pointing right Compliance Score 80-100: Quantum-ready with PQC algorithms
  • ArrowAnimated arrow icon pointing right Compliance Score 60-79: Modern encryption but PQC migration needed
  • ArrowAnimated arrow icon pointing right Compliance Score 40-59: Vulnerable, immediate action required
  • ArrowAnimated arrow icon pointing right Compliance Score <40: Critical security risk, urgent upgrade needed
LocationLocation pin icon Domain Analysis
LocationLocation pin icon

Enter a domain to analyze its encryption status and PQC readiness

Understanding Domain Encryption

TLS/SSL Certificates

TLS (Transport Layer Security) certificates protect data in transit between clients and servers. Modern websites use TLS 1.2 or 1.3, which employ public-key cryptography (RSA or ECDSA) for key exchange and authentication. However, these algorithms are vulnerable to quantum computers running Shor's algorithm.

Cipher Suites

A cipher suite defines the algorithms used for key exchange, authentication, encryption, and message integrity. Examples include TLS_AES_256_GCM_SHA384 or TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Quantum-safe cipher suites use algorithms like Kyber for key exchange and Dilithium for signatures.

Migration Strategy

Migrating to PQC requires careful planning. Start with hybrid approaches that combine classical and post-quantum algorithms (e.g., ECDHE+Kyber). Test compatibility with older clients. Update certificate authorities, load balancers, and CDNs. Monitor performance impacts. Plan for 6-18 months migration timeline for enterprise infrastructure.

ArrowAnimated arrow icon pointing right Related PQC Tools

PQ Certificate Validator

Validate certificates and get migration recommendations

PQ Cipher Tool

Experiment with quantum-safe encryption algorithms

Learn About PQC ArrowAnimated arrow icon pointing right
Domain Post-Quantum Encryption Assessment

Domain PQC encryption assessment examines all cryptographic layers of a domain's security infrastructure for quantum vulnerability. A domain's encryption surface includes: TLS certificates and cipher suites used by the web server, DNS security (DNSSEC key algorithms), email authentication signatures (DKIM key sizes and algorithms), and any API or service endpoints. Each of these components may use RSA or ECC-based cryptography that is vulnerable to quantum attacks. A comprehensive domain assessment identifies which components need to be migrated to post-quantum alternatives and in which priority order, based on the sensitivity of the data protected and the expected quantum timeline.

TLS certificates present the most immediate migration challenge. Modern certificate authorities (CAs) are beginning to issue hybrid certificates combining classical ECDSA/RSA with ML-DSA or SLH-DSA signatures. The CA/Browser Forum and IETF are actively standardizing post-quantum certificate formats. For DNSSEC, RFC 9108 defines IANA allocations for post-quantum signature algorithms including FALCON and SLH-DSA. DKIM signatures (RFC 6376) currently only support RSA and Ed25519; post-quantum DKIM key types are under active IETF discussion. Key Transparency and Certificate Transparency (CT) logs will need to be updated to accommodate new algorithm OIDs.

The CNSA 2.0 suite (NSA, 2022) provides the most aggressive migration timeline: organizations handling national security information must migrate to ML-KEM and ML-DSA by 2030, with earlier adoption encouraged. NIST SP 800-208 and the NIST PQC Migration Guide (SP 800-227, draft) provide detailed guidance for enterprise migration. Key concepts in the assessment include: crypto-agility (designing systems to easily swap algorithms), harvest-now-decrypt-later threat modeling (adversaries storing encrypted traffic for future quantum decryption), and quantum-safe protocol negotiation during the hybrid transition period.

CLI Domain PQC Assessment

macOS / Linux

# Check TLS certificate algorithm
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -text | grep -E "Public Key|Signature Algorithm"

# Check DKIM key size for a selector
dig TXT default._domainkey.example.com +short | grep -o 'p=.*' | head -c 100

# Scan for weak TLS configs
nmap --script ssl-cert,ssl-enum-ciphers -p 443 example.com

# Check DNSSEC algorithm
dig DNSKEY example.com | grep -E "algorithm|DNSKEY"

Windows PowerShell

# Get TLS certificate details via PowerShell
# Use openssl.exe (install via winget install ShiningLight.OpenSSL)
openssl s_client -connect example.com:443 2>nul | openssl x509 -noout -text | findstr "Algorithm"

# Or use certutil for local certificates
certutil -verify -urlfetch example.com