LatticeScan

vercel.com

12 endpoints tested · 180 hostnames found in public certificate logs · scanned Jul 14, 2026

B
LinkedIn

3 of 12 endpoints still use a classical key exchange. Someone can record that traffic today and decrypt it once a quantum computer exists.

Findings

  • critical

    3 of 12 endpoints are exposed to harvest-now-decrypt-later

    These endpoints negotiate a classical key exchange (ECDH/X25519). Traffic captured today can be decrypted retroactively once a cryptographically-relevant quantum computer exists. This is the only quantum risk that applies to data you have already sent — and it is fixable today by enabling a hybrid ML-KEM group (X25519MLKEM768), which every current major browser already supports.

    email.info.vercel.com · assets.vercel.com · image.ship.vercel.com

  • info

    9 endpoints already negotiate post-quantum key exchange

    Hybrid ML-KEM is active (X25519MLKEM768). Traffic to these endpoints is protected against retroactive decryption.

    cdn1.vercel.com · datarequest.vercel.com · vercel.com · cdn2.vercel.com · checkout.vercel.com · auth.vercel.com · go.vercel.com · examples.vercel.com · admin.vercel.com

  • medium

    All 12 certificates use classical signature keys

    Certificate keys (RSA/ECDSA) are broken by Shor's algorithm, but unlike key exchange this is not retroactively exploitable — a signature only needs to resist forgery while it is still trusted. No publicly-trusted CA issues ML-DSA certificates yet, so there is no action available today. NIST deprecates these algorithms after 2030 and disallows them after 2035.

    cdn1.vercel.com · datarequest.vercel.com · vercel.com · cdn2.vercel.com · checkout.vercel.com · auth.vercel.com · go.vercel.com · examples.vercel.com · email.info.vercel.com · assets.vercel.com · image.ship.vercel.com · admin.vercel.com

Endpoints

HostKey exchangeTLSCertificate key
cdn1.vercel.comX25519MLKEM768TLSv1.3RSA 2048
datarequest.vercel.comX25519MLKEM768TLSv1.3RSA 2048
vercel.comX25519MLKEM768TLSv1.3RSA 2048
cdn2.vercel.comX25519MLKEM768TLSv1.3RSA 2048
checkout.vercel.comX25519MLKEM768TLSv1.3ECDSA prime256v1
auth.vercel.comX25519MLKEM768TLSv1.3ECDSA prime256v1
go.vercel.comX25519MLKEM768TLSv1.3ECDSA prime256v1
examples.vercel.comX25519MLKEM768TLSv1.3RSA 2048
email.info.vercel.comclassicalTLSv1.3RSA 2048
assets.vercel.comclassicalTLSv1.3RSA 2048
image.ship.vercel.comclassicalTLSv1.3RSA 2048
admin.vercel.comX25519MLKEM768TLSv1.3RSA 2048

Compliance evidence

No security questionnaire asks about quantum yet. They do ask what cryptography you run and how you manage it, and most companies struggle to answer that with anything solid. A scan gives you something to point to.

CEK-04
CSA Cloud Controls Matrix
Encryption Algorithm
Observed key exchange, cipher suite and certificate key algorithm for every reachable endpoint (9/12 endpoints on post-quantum key exchange).
CEK-05
CSA Cloud Controls Matrix
Encryption Change Management
Baseline of algorithms in use, so any cryptographic change is detectable against a known-good snapshot.
CEK-07
CSA Cloud Controls Matrix
Encryption Risk Management
Quantum exposure assessed per endpoint, separating retroactively-exploitable key exchange from forward-only signature risk.
CEK-21
CSA Cloud Controls Matrix
Key Inventory Management
46 certificates and 180 hostnames enumerated from public Certificate Transparency logs.
A.8.24
ISO/IEC 27001:2022
Use of cryptography
Documented, dated record of which cryptographic algorithms are actually deployed — the evidence this control asks for.
Crypto Inventory
US EO 14412 / OMB M-26-15
Automated Cryptographic Inventory
Machine-generated inventory of cryptographic assets, exportable as a CycloneDX CBOM.
Download CBOM (CycloneDX JSON)

This is only the outside view

A scan like this sees your public endpoints. The rest of your cryptography lives in your code, your internal services, your key stores, and the software you buy from other people. If you run cryptography at the scale of a bank, an airline, or a retailer and want the full picture, or a walkthrough for your security team, get in touch.

Talk to us