youtube.com
12 endpoints tested · 696 hostnames found in public certificate logs · scanned Jul 15, 2026
In plain English
Good news. This site is already quantum-safe where it counts.
Every endpoint we could reach already uses quantum-safe key exchange. That puts this site ahead of almost everyone. There is nothing to fix on that front.
One thing not to worry about yet: the certificates here use today's standard signatures. There is nothing to change about that right now, because no certificate authority issues quantum-safe certificates yet, and the standards do not require the switch until after 2030.
Findings
- info
12 endpoints already negotiate post-quantum key exchange
Hybrid ML-KEM is active (X25519MLKEM768). Traffic to these endpoints is protected against retroactive decryption.
nflst.youtube.com · creatoracademy.youtube.com · admin.youtube.com · music.youtube.com · app.youtube.com · youtube.com · www.youtube.com · payments.youtube.com · www.nflst.youtube.com · rtmps.youtube.com · upload.youtube.com · www.creatoracademy.youtube.com
- medium
All 12 certificates use classical signature keys
A quantum computer can also break certificate keys (RSA/ECDSA), but this one is not urgent the way key exchange is. A signature only has to hold up while the certificate is still trusted, and nobody can forge it after the fact. No public certificate authority issues quantum-safe (ML-DSA) certificates yet, so there is nothing to switch to right now. NIST winds these algorithms down after 2030 and bars them after 2035.
nflst.youtube.com · creatoracademy.youtube.com · admin.youtube.com · music.youtube.com · app.youtube.com · youtube.com · www.youtube.com · payments.youtube.com · www.nflst.youtube.com · rtmps.youtube.com · upload.youtube.com · www.creatoracademy.youtube.com
Endpoints
| Host | Key exchange | TLS | Certificate key |
|---|---|---|---|
| nflst.youtube.com | X25519MLKEM768 | TLSv1.3 | ECDSA prime256v1 |
| creatoracademy.youtube.com | X25519MLKEM768 | TLSv1.3 | ECDSA prime256v1 |
| admin.youtube.com | X25519MLKEM768 | TLSv1.3 | ECDSA prime256v1 |
| music.youtube.com | X25519MLKEM768 | TLSv1.3 | ECDSA prime256v1 |
| app.youtube.com | X25519MLKEM768 | TLSv1.3 | ECDSA prime256v1 |
| youtube.com | X25519MLKEM768 | TLSv1.3 | ECDSA prime256v1 |
| www.youtube.com | X25519MLKEM768 | TLSv1.3 | ECDSA prime256v1 |
| payments.youtube.com | X25519MLKEM768 | TLSv1.3 | ECDSA prime256v1 |
| www.nflst.youtube.com | X25519MLKEM768 | TLSv1.3 | ECDSA prime256v1 |
| rtmps.youtube.com | X25519MLKEM768 | TLSv1.3 | RSA 2048 |
| upload.youtube.com | X25519MLKEM768 | TLSv1.3 | ECDSA prime256v1 |
| www.creatoracademy.youtube.com | X25519MLKEM768 | TLSv1.3 | ECDSA prime256v1 |
Compliance evidence
No security questionnaire asks about quantum yet. They do ask what cryptography you run and how you manage it, and most companies struggle to answer that with anything solid. A scan gives you something to point to.
CEK-04 CSA Cloud Controls Matrix | Encryption Algorithm Observed key exchange, cipher suite and certificate key algorithm for every reachable endpoint (12/12 endpoints on post-quantum key exchange). |
CEK-05 CSA Cloud Controls Matrix | Encryption Change Management Baseline of algorithms in use, so any cryptographic change is detectable against a known-good snapshot. |
CEK-07 CSA Cloud Controls Matrix | Encryption Risk Management Quantum exposure assessed per endpoint, separating retroactively-exploitable key exchange from forward-only signature risk. |
CEK-21 CSA Cloud Controls Matrix | Key Inventory Management 100 certificates and 696 hostnames enumerated from public Certificate Transparency logs. |
A.8.24 ISO/IEC 27001:2022 | Use of cryptography A dated record of the cryptographic algorithms actually running, which is what this control asks you to show. |
Crypto Inventory US EO 14412 / OMB M-26-15 | Automated Cryptographic Inventory Machine-generated inventory of cryptographic assets, exportable as a CycloneDX CBOM. |
This is only the outside view
A scan like this sees your public endpoints. The rest of your cryptography lives in your code, your internal services, your key stores, and the software you buy from other people. If you run cryptography at the scale of a bank, an airline, or a retailer and want the full picture, or a walkthrough for your security team, get in touch.
Talk to us