Data Protection

Google Working Towards Quantum-Safe Chrome HTTPS Certificates 

The internet giant is developing an evolution of the certificates based on Merkle Tree Certificates (MTCs).

Chrome security

Google has announced plans to improve the resilience of Chrome’s HTTPS certificates against quantum computers by evolving them based on Merkle Tree Certificates (MTCs).

According to Google, the Chrome Root Store will not immediately accept certificates containing post-quantum cryptography, as they would impact the performance and bandwidth usage of TLS connections that require Certificate Transparency (CT).

Instead, Chrome will move towards HTTPS certificates based on MTCs, which use the compact Merkle Tree proofs to eliminate the bandwidth usage of classical X.509 certificate chains.

“In this model, a Certification Authority (CA) signs a single ‘Tree Head’ representing potentially millions of certificates, and the ‘certificate’ sent to the browser is merely a lightweight proof of inclusion in that tree,” Google explains.

MTCs shrink the authentication data in the TLS handshake, decouple the size of the transmitted data from the security strength of the cryptographic algorithm, and ensure that the post-quantum web is as fast as today’s internet while providing stronger security.

“Finally, with MTCs, transparency is a fundamental property of issuance: it is impossible to issue a certificate without including it in a public tree. This means the security properties of today’s CT ecosystem are included by default, and without adding extra overhead to the TLS handshake as CT does today,” Google notes.

Advertisement. Scroll to continue reading.

Google has been experimenting with MTCs in Chrome and has partnered with Cloudflare to assess the performance and security of TLS connections relying on them. Currently, the MTC-based connections in the browser are backed by trusted X.509 certificates.

In the first quarter of 2027, after the core technology has been validated, CT Log operators who had at least one usable log in Chrome before February 1, 2026, will be invited to participate in bootstrapping public MTCs.

“These organizations have already demonstrated the operational excellence and high-availability infrastructure required to run global security services that underpin TLS connections in Chrome. Since MTC technology shares significant architectural similarities with CT, these operators are uniquely qualified to ensure MTCs are able to get off the ground quickly and successfully,” Google says.

By the third quarter of 2027, Google expects to finalize the requirements for onboarding CAs into a new Chrome Quantum-resistant Root Store (CQRS) and into the corresponding MTCs-only Root Program.

“This will establish a modern, purpose-built trust store specifically designed for the requirements of a post-quantum web. The Chrome Quantum-resistant Root Program will operate alongside our existing Chrome Root Program to ensure a risk-managed transition that maintains the highest levels of security for all users,” the internet giant says.

During the third phase, sites will be able to opt in to downgrade protections, so that only sites interested in using quantum-resistant certificates can do so.

Related: Google Disrupts Chinese Hackers Targeting Telecoms, Governments

Related: NIST’s Quantum Breakthrough: Single Photons Produced on a Chip

Related: Google Patches First Actively Exploited Chrome Zero-Day of 2026

Related: Cyber Insights 2026: Quantum Computing and the Potential Synergy With Advanced AI

Related Content

Vulnerabilities

Fifteen of the newly patched flaws have been rated ‘critical’ and 67 have been rated ‘high severity’.

Vulnerabilities

More than half of the bugs are use-after-free defects, which can potentially lead to remote code execution.

Data Protection

Federal agencies are required to transition high-value assets and high-impact systems to use PQC by the end of 2030 and 2031.

Vulnerabilities

The browser updates address multiple memory safety bugs that could potentially lead to remote code execution.

Vulnerabilities

The browser refresh resolved critical and high-severity security defects, including a dozen use-after-free bugs.

Vulnerabilities

The vulnerability is tracked as CVE-2026-11645 and it was reported in late April by an anonymous researcher.

Vulnerabilities

Over 100 bugs are critical or high-severity, mainly use-after-free and insufficient validation of untrusted input flaws.

Vulnerabilities

The browser update resolves critical-severity security defects that could potentially lead to remote code execution.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version