LatticeScan

emirates.com

10 endpoints tested · 101 hostnames found in public certificate logs · scanned Jul 14, 2026

D
LinkedIn

10 of 10 endpoints still use classical key exchange. Traffic captured today can be decrypted later, once a quantum computer exists.

Findings

  • critical

    10 of 10 endpoints are exposed to harvest-now-decrypt-later

    These endpoints negotiate a classical key exchange (ECDH/X25519). Traffic captured today can be decrypted retroactively once a cryptographically-relevant quantum computer exists. This is the only quantum risk that applies to data you have already sent — and it is fixable today by enabling a hybrid ML-KEM group (X25519MLKEM768), which every current major browser already supports.

    www.emirates.com · ae.emirates.com · accounts.emirates.com · emirates.com · bah.emirates.com · corporate.emirates.com · accountsuat.emirates.com · cdn.emirates.com · api.emirates.com · auth.emirates.com

  • medium

    All 10 certificates use classical signature keys

    Certificate keys (RSA/ECDSA) are broken by Shor's algorithm, but unlike key exchange this is not retroactively exploitable — a signature only needs to resist forgery while it is still trusted. No publicly-trusted CA issues ML-DSA certificates yet, so there is no action available today. NIST deprecates these algorithms after 2030 and disallows them after 2035.

    www.emirates.com · ae.emirates.com · accounts.emirates.com · emirates.com · bah.emirates.com · corporate.emirates.com · accountsuat.emirates.com · cdn.emirates.com · api.emirates.com · auth.emirates.com

  • high

    1 endpoint do not support TLS 1.3

    TLS 1.3 is a prerequisite for post-quantum key exchange. These endpoints cannot be made quantum-safe until they are upgraded.

    auth.emirates.com

Endpoints

HostKey exchangeTLSCertificate key
mail.emirates.comread ECONNRESET
www.emirates.comclassicalTLSv1.3ECDSA prime256v1
ae.emirates.comclassicalTLSv1.3ECDSA prime256v1
accounts.emirates.comclassicalTLSv1.3ECDSA prime256v1
emirates.comclassicalTLSv1.3ECDSA prime256v1
bah.emirates.comclassicalTLSv1.3ECDSA prime256v1
corporate.emirates.comclassicalTLSv1.3ECDSA prime256v1
accountsuat.emirates.comclassicalTLSv1.3ECDSA prime256v1
cdn.emirates.comclassicalTLSv1.3ECDSA prime256v1
api.emirates.comclassicalTLSv1.3ECDSA prime256v1
auth.emirates.comclassicalTLSv1.2RSA 2048
autodiscover.emirates.comtimeout

Compliance evidence

No questionnaire asks about quantum yet. They do ask what cryptography you use and how you manage it — and most companies cannot answer with evidence. This scan is that evidence.

CEK-04
CSA Cloud Controls Matrix
Encryption Algorithm
Observed key exchange, cipher suite and certificate key algorithm for every reachable endpoint (0/10 endpoints on post-quantum key exchange).
CEK-05
CSA Cloud Controls Matrix
Encryption Change Management
Baseline of algorithms in use, so any cryptographic change is detectable against a known-good snapshot.
CEK-07
CSA Cloud Controls Matrix
Encryption Risk Management
Quantum exposure assessed per endpoint, separating retroactively-exploitable key exchange from forward-only signature risk.
CEK-21
CSA Cloud Controls Matrix
Key Inventory Management
76 certificates and 101 hostnames enumerated from public Certificate Transparency logs.
A.8.24
ISO/IEC 27001:2022
Use of cryptography
Documented, dated record of which cryptographic algorithms are actually deployed — the evidence this control asks for.
Crypto Inventory
US EO 14412 / OMB M-26-15
Automated Cryptographic Inventory
Machine-generated inventory of cryptographic assets, exportable as a CycloneDX CBOM.
Download CBOM (CycloneDX JSON)

This is the outside view. The inside is bigger.

This scan sees your public endpoints. Your real cryptographic estate also lives in code, internal services, key stores and the software you buy. If you run cryptography at the scale of a bank, an airline or a retailer and need the whole inventory — or a briefing for your security team — we can help.

Talk to us