LatticeScan

epaysystems.com

8 endpoints tested · 14 hostnames found in public certificate logs · scanned Jul 15, 2026

B
LinkedIn

In plain English

Some of this site needs an upgrade before it can be protected.

Some endpoints here do not support TLS 1.3, the modern version of the encryption every browser uses. Quantum-safe protection needs TLS 1.3, so those parts have to be upgraded first before anything else can happen.

Here is why it matters even though quantum computers are not here yet. Someone can record encrypted traffic to these endpoints today, store it, and unlock it years from now once the technology catches up. Anything sent now that has to stay private for a long time is the real concern.

What to do: upgrade the endpoints that are still on older TLS to TLS 1.3. Whoever runs the site or its hosting will know how. Once that is done, quantum-safe key exchange can be switched on.

One thing not to worry about yet: the certificates here use today's standard signatures. There is nothing to change about that right now, because no certificate authority issues quantum-safe certificates yet, and the standards do not require the switch until after 2030.

Findings

  • critical

    3 of 8 endpoints are exposed to harvest-now-decrypt-later

    These endpoints still use a classical key exchange (ECDH/X25519). Someone can capture that traffic now and decrypt it later, once a real quantum computer exists. It is the one quantum risk that reaches data you have already sent, and you can close it today by turning on a hybrid ML-KEM group (X25519MLKEM768). Every current major browser already supports it.

    azuretime.epaysystems.com · time.epaysystems.com · tlm.epaysystems.com

  • info

    5 endpoints already negotiate post-quantum key exchange

    Hybrid ML-KEM is active (X25519MLKEM768). Traffic to these endpoints is protected against retroactive decryption.

    epaysystems.com · test.epaysystems.com · offers.epaysystems.com · blog.epaysystems.com · www.epaysystems.com

  • medium

    All 8 certificates use classical signature keys

    A quantum computer can also break certificate keys (RSA/ECDSA), but this one is not urgent the way key exchange is. A signature only has to hold up while the certificate is still trusted, and nobody can forge it after the fact. No public certificate authority issues quantum-safe (ML-DSA) certificates yet, so there is nothing to switch to right now. NIST winds these algorithms down after 2030 and bars them after 2035.

    epaysystems.com · test.epaysystems.com · offers.epaysystems.com · blog.epaysystems.com · www.epaysystems.com · azuretime.epaysystems.com · time.epaysystems.com · tlm.epaysystems.com

  • high

    1 endpoint do not support TLS 1.3

    Post-quantum key exchange needs TLS 1.3. Until you upgrade these endpoints, there is no way to make them quantum-safe.

    tlm.epaysystems.com

Endpoints

HostKey exchangeTLSCertificate key
epaysystems.comX25519MLKEM768TLSv1.3ECDSA prime256v1
test.epaysystems.comX25519MLKEM768TLSv1.3ECDSA prime256v1
offers.epaysystems.comX25519MLKEM768TLSv1.3ECDSA prime256v1
blog.epaysystems.comX25519MLKEM768TLSv1.3ECDSA prime256v1
www.epaysystems.comX25519MLKEM768TLSv1.3ECDSA prime256v1
azuretime.epaysystems.comclassicalTLSv1.3RSA 2048
time.epaysystems.comclassicalTLSv1.3RSA 2048
tlm.epaysystems.comclassicalTLSv1.2RSA 2048

Compliance evidence

No security questionnaire asks about quantum yet. They do ask what cryptography you run and how you manage it, and most companies struggle to answer that with anything solid. A scan gives you something to point to.

CEK-04
CSA Cloud Controls Matrix
Encryption Algorithm
Observed key exchange, cipher suite and certificate key algorithm for every reachable endpoint (5/8 endpoints on post-quantum key exchange).
CEK-05
CSA Cloud Controls Matrix
Encryption Change Management
Baseline of algorithms in use, so any cryptographic change is detectable against a known-good snapshot.
CEK-07
CSA Cloud Controls Matrix
Encryption Risk Management
Quantum exposure assessed per endpoint, separating retroactively-exploitable key exchange from forward-only signature risk.
CEK-21
CSA Cloud Controls Matrix
Key Inventory Management
14 certificates and 14 hostnames enumerated from public Certificate Transparency logs.
A.8.24
ISO/IEC 27001:2022
Use of cryptography
A dated record of the cryptographic algorithms actually running, which is what this control asks you to show.
Crypto Inventory
US EO 14412 / OMB M-26-15
Automated Cryptographic Inventory
Machine-generated inventory of cryptographic assets, exportable as a CycloneDX CBOM.
Download CBOM (CycloneDX JSON)

This is only the outside view

A scan like this sees your public endpoints. The rest of your cryptography lives in your code, your internal services, your key stores, and the software you buy from other people. If you run cryptography at the scale of a bank, an airline, or a retailer and want the full picture, or a walkthrough for your security team, get in touch.

Talk to us