Data Protection Google Working Towards Quantum-Safe Chrome HTTPS Certificates The internet giant is developing an evolution of the certificates based on Merkle Tree Certificates (MTCs). By Ionut Arghire | March 2, 2026 (6:33 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Google has announced plans to improve the resilience of Chrome’s HTTPS certificates against quantum computers by evolving them based on Merkle Tree Certificates (MTCs). According to Google, the Chrome Root Store will not immediately accept certificates containing post-quantum cryptography, as they would impact the performance and bandwidth usage of TLS connections that require Certificate Transparency (CT). Instead, Chrome will move towards HTTPS certificates based on MTCs, which use the compact Merkle Tree proofs to eliminate the bandwidth usage of classical X.509 certificate chains. “In this model, a Certification Authority (CA) signs a single ‘Tree Head’ representing potentially millions of certificates, and the ‘certificate’ sent to the browser is merely a lightweight proof of inclusion in that tree,” Google explains . MTCs shrink the authentication data in the TLS handshake, decouple the size of the transmitted data from the security strength of the cryptographic algorithm, and ensure that the post-quantum web is as fast as today’s internet while providing stronger security. “Finally, with MTCs, transparency is a fundamental property of issuance: it is impossible to issue a certificate without including it in a public tree. This means the security properties of today’s CT ecosystem are included by default, and without adding extra overhead to the TLS handshake as CT does today,” Google notes. Advertisement. Scroll to continue reading. Google has been experimenting with MTCs in Chrome and has partnered with Cloudflare to assess the performance and security of TLS connections relying on them. Currently, the MTC-based connections in the browser are backed by trusted X.509 certificates. In the first quarter of 2027, after the core technology has been validated, CT Log operators who had at least one usable log in Chrome before February 1, 2026, will be invited to participate in bootstrapping public MTCs. “These organizations have already demonstrated the operational excellence and high-availability infrastructure required to run global security services that underpin TLS connections in Chrome. Since MTC technology shares significant architectural similarities with CT, these operators are uniquely qualified to ensure MTCs are able to get off the ground quickly and successfully,” Google says. By the third quarter of 2027, Google expects to finalize the requirements for onboarding CAs into a new Chrome Quantum-resistant Root Store (CQRS) and into the corresponding MTCs-only Root Program. “This will establish a modern, purpose-built trust store specifically designed for the requirements of a post-quantum web. The Chrome Quantum-resistant Root Program will operate alongside our existing Chrome Root Program to ensure a risk-managed transition that maintains the highest levels of security for all users,” the internet giant says. During the third phase, sites will be able to opt in to downgrade protections, so that only sites interested in using quantum-resistant certificates can do so. Related: Google Disrupts Chinese Hackers Targeting Telecoms, Governments Related: NIST’s Quantum Breakthrough: Single Photons Produced on a Chip Related: Google Patches First Actively Exploited Chrome Zero-Day of 2026 Related: Cyber Insights 2026: Quantum Computing and the Potential Synergy With Advanced AI Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Aeternum Botnet Loader Employs Polygon Blockchain C&C to Boost Resilience Gambit Security Emerges From Stealth With $61 Million in Funding Zyxel Patches Critical Vulnerability in Many Device Models US Sanctions Russian Exploit Broker Operation Zero Cisco Patches Catalyst SD-WAN Zero-Day Exploited by Highly Sophisticated Hackers SolarWinds Patches Four Critical Serv-U Vulnerabilities Ex-US Defense Contractor Executive Jailed for Selling Exploits to Russia CarGurus Data Breach Impacts Over 12 Million Users Latest News North Korean APT Targets Air-Gapped Systems in Recent Campaign US-Israel and Iran Trade Cyberattacks: Pro-West Hacks Cause Disruption as Tehran Retaliates Hackers Weaponize Claude Code in Mexican Government Cyberattack Canadian Tire Data Breach Impacts 38 Million Accounts Trump Orders All Federal Agencies to Phase Out Use of Anthropic Technology In Other News: ATT&CK Advisory Council, Russian Cyberattacks Aid Missile Strikes, Predator Bypasses iOS Indicators 38 Million Allegedly Impacted by ManoMano Data Breach 900 Sangoma FreePBX Instances Infected With Web Shells Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Identity Under Attack: Why Every Business Must Respond Now February 11, 2026 Attendees will walk away with guidance for how to build robust identity defenses, unify them under a consistent security model, and ensure business operations move quickly without compromise. Register Virtual Event: Ransomware Resilience & Recovery 2026 Summit February 25, 2026 SecurityWeek’s 2026 Ransomware Summit will discuss a roadmap for defending the enterprise, from mitigating root causes to mastering recovery, giving security teams the critical insights needed to navigate and neutralize today’s ransomware extortion threats. Submit People on the Move Predictive revenue system company Clari + Salesloft has named Peter Liebert as CISO. Nscale has appointed Latha Maripuri as Chief Information Security Officer. BreachRx has named Young-Sae Song as Chief Marketing Officer. More People On The Move Expert Insights Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email