PQ Crypta Launches Enterprise HTTP/3 QUIC & WebTransport Scanner with 100+ Data Points

FOR IMMEDIATE RELEASE
January 31, 2026
Native Rust Implementation Delivers Sub-Second Protocol Analysis

Today, PQ Crypta announces the release of its HTTP/3 QUIC & WebTransport Scanner—an enterprise-grade protocol analysis tool built on a native Rust QUIC stack that extracts over 100 data points per scan, identifies 50+ server implementations, and delivers ML-powered security recommendations in under 200 milliseconds.

The Challenge: Protocol Visibility in Modern Infrastructure

As HTTP/3 adoption accelerates (now supported by Cloudflare, Google, Facebook, Fastly, and major CDNs), organizations face a critical visibility gap. Traditional tools can't answer fundamental questions:

Is our HTTP/3 actually accessible to browsers, or just configured?
Are we vulnerable to 0-RTT replay attacks?
What QUIC implementation is our CDN running?
Do we support post-quantum hybrid key exchange?
Is our WebTransport endpoint properly configured?

Browser DevTools show basic protocol information. Network analyzers require packet capture. Neither provides the deep metadata that security teams and performance engineers need.

"When we built this scanner, we wanted to expose everything the protocols actually negotiate—not just what's advertised. The difference between 'server supports HTTP/3' and 'browsers can actually use HTTP/3' is the difference between Grade A and Grade C. That distinction matters for security and performance."

— Allan Riddel, Founder of PQ Crypta

The Solution: Native QUIC Deep Inspection

Unlike browser-based or curl-based scanners, PQ Crypta's scanner uses native Rust QUIC libraries (quinn, h3, rustls) to establish real QUIC connections and extract metadata directly from the protocol handshake.

Technical Capabilities

Native QUIC Stack: Quinn library (RFC 9000 compliant) + h3 for HTTP/3 (RFC 9114)
Parallel Protocol Probing: Simultaneous HTTP/3, HTTP/2, HTTP/1.1 testing
100+ Data Points: Transport params, TLS extensions, connection metrics, security features
Server Fingerprinting: Identifies 50+ implementations with 95% confidence for major CDNs
PQC Detection: Detects X25519MLKEM768 and other post-quantum hybrid key exchanges
Sub-Second Scans: Typical completion in 50-200ms

5-Tier Grading System

The scanner introduces a security-focused grading system that distinguishes between server capability and browser accessibility:

A++ (Ultimate): HTTP/3 accessible + 0-RTT disabled + WebTransport enabled
A+ (Excellent): HTTP/3 accessible + 0-RTT disabled (most secure)
A (Good): HTTP/3 accessible + 0-RTT enabled (replay attack risk)
C (Misconfigured): Server speaks HTTP/3 but browsers can't discover it (missing Alt-Svc)
F (Legacy): No HTTP/3 support

This grading exposes a common misconfiguration: servers with HTTP/3 enabled on the origin but no Alt-Svc header, causing browsers to fall back to HTTP/2 despite server capability.

Comprehensive Metadata Extraction

Each scan extracts detailed metadata across eight categories:

QUIC Transport Parameters (18 fields)

Flow control limits, idle timeout, max UDP payload size, datagram frame support, connection migration settings, and GREASE bit configuration. These parameters reveal server tuning and implementation characteristics.

TLS Extensions (14 fields)

ALPN protocols, key share groups (including X25519MLKEM768 for post-quantum), signature algorithms, ECH support, certificate compression, and GREASE extension usage. Critical for security assessment.

Server Fingerprinting (5 fields)

Implementation identification using 3-tier detection: header analysis (95% confidence), domain analysis (85%), and transport parameter patterns (70%). Identifies Cloudflare, Google GFE, Facebook mvfst, nginx-quic, LiteSpeed, Caddy, Fastly, and 40+ more.

Connection Metrics (20 fields)

Handshake time, time-to-first-byte, RTT estimates, congestion window, packets sent/lost, loss rate percentage, path MTU discovery status, and congestion controller type (CUBIC, BBR, Reno).

Security Features (10 fields)

Retry packet usage, address validation, anti-amplification limits (3x standard), stateless reset support, and rate limiting detection.

HTTP/3 Settings (12 fields)

QPACK configuration, WebTransport enablement, DATAGRAM support, and RFC 9218 priority support.

HTTP/3 Headers (11 fields)

Alt-Svc, Server-Timing, Priority, Accept-CH client hints, NEL (Network Error Logging), Report-To, and 103 Early Hints detection.

WebTransport Capabilities (17 fields)

Session limits, stream types, datagram support, flow control, authentication requirements, and session establishment latency.

ML-Powered Recommendations

The scanner uses machine learning (RandomForest classifier with 100 trees) trained on historical scan data to provide contextual, actionable recommendations:

Security Alerts: 0-RTT replay attack risks with specific remediation steps
Configuration Fixes: Missing Alt-Svc headers, HTTP/1.1 legacy exposure
Performance Opportunities: WebTransport enablement, protocol upgrade paths
Platform-Specific Guidance: Tailored instructions for Cloudflare, nginx, Apache

Recommendations include effectiveness scores and are filtered by context—no redundant advice for sites that already implement best practices.

Real-World Results

Analysis of 480+ scanned websites reveals:

~77% Grade F: Still on HTTP/2 or HTTP/1.1 only
~9% Grade A: HTTP/3 with 0-RTT enabled (replay risk)
~8% Grade A+: HTTP/3 with 0-RTT disabled (secure)
~5% Grade C: HTTP/3 enabled but misconfigured (no Alt-Svc)
<1% Grade A++: Full HTTP/3 + WebTransport (cutting-edge)

The Grade C category represents a significant discovery: servers where operators believe HTTP/3 is working, but browsers silently fall back to HTTP/2 due to missing advertisement headers.

Try It Now

Free Public Scanner

Web Interface: pqcrypta.com/http3-quic/
URL Parameter: pqcrypta.com/http3-quic/?url=example.com
Path-Based: pqcrypta.com/http3-quic/example.com

API Access

curl -X POST https://api.pqcrypta.com/http3-scanner/scan \
  -H "Content-Type: application/json" \
  -d '{"url": "https://cloudflare.com"}'

Technical Specifications

Scanner Engine

Language: Rust (memory-safe, high-performance)
QUIC Library: quinn 0.11+ (RFC 9000)
HTTP/3 Library: h3 0.0.6+ (RFC 9114)
TLS Library: rustls 0.23+ (TLS 1.3)
Async Runtime: tokio

Performance

Scan Duration: 50-200ms typical
Concurrent Capacity: 100 simultaneous scans
Memory per Scan: 2-5 MB
Timeout: 30 seconds

Data Extraction

Root Response Fields: 28
QUIC Transport Parameters: 18
TLS Extensions: 14
Connection Metrics: 20
Security Features: 10
HTTP/3 Settings: 12
Total Data Points: 100+

What's Next

The HTTP/3 scanner is part of PQ Crypta's broader mission to provide visibility into modern protocol adoption and post-quantum readiness. Upcoming features include:

Bulk scanning API for enterprise infrastructure assessment
Historical tracking and trend analysis
Certificate chain analysis with PQC signature detection
Integration with CI/CD pipelines for automated testing
Webhook notifications for protocol changes

About PQ Crypta

PQ Crypta builds enterprise-grade tools for the post-quantum era. Our platform implements NIST-standardized algorithms (ML-KEM-1024, ML-DSA-87, SLH-DSA), provides HTTP/3 QUIC infrastructure analysis, and delivers production-ready quantum-resistant encryption. We're committed to making advanced cryptography accessible and interoperable.

Website: pqcrypta.com
HTTP/3 Scanner: pqcrypta.com/http3-quic/
Email: allan@pqcrypta.com
GitHub: github.com/PQCrypta

AUTONOMY DIRECTORATE

🏠 Main

🧪 Interactive Apps

📰 News

📚 Documents ▼

🎓 Educational Animations ▼

🎨 Visual Effects ▼

👤 Account

🧬 Company & Legal ▼

🛠️ Utilities ▼

🛡️ Security ▼

🚧 Under Development ▼

⟨ QUANTUM ERROR PORTAL ⟩