AUTONOMY DIRECTORATE

๐Ÿ  Main

๐Ÿงช Interactive Apps

๐Ÿ“ฐ News

๐Ÿ›ก๏ธ PQ Crypta Proxy

๐Ÿ‘ค Account

โŸจ QUANTUM ERROR PORTAL โŸฉ

Navigate the Error Dimensions

PQ Crypta

Inside a Live PQC Edge: A Traffic & Protocol Analysis of the QUIC / HTTP-3 Internet

What 15,436 real requests and 563 internet scans reveal about HTTP/3, QUIC reuse, WebTransport, and the arrival of post-quantum TLS โ€” measured from both sides of the handshake.

QUIC / HTTP3 Traffic Flow Post-Quantum TLS Allan Riddel · PQ Crypta · 30 June 2026

Most HTTP/3 measurements are taken from the outside looking in โ€” a scanner knocks on a port and records what answers. We have a rarer vantage point: we operate a post-quantum edge. Our proxy speaks QUIC v1, HTTP/3 and WebTransport, and terminates TLS 1.3 with an X25519MLKEM768 hybrid key exchange and ML-DSA-44 authentication. That lets us watch the new UDP-based internet from both sides of the handshake at once โ€” first-party request logs and connection telemetry on one side, an active 563-domain protocol scan on the other.

Key findings at a glance
  • In our deployment, HTTP/2 effectively vanished from observed traffic โ€” 25% of edge requests were HTTP/3, 75% HTTP/1.1, and 0% HTTP/2, despite h2 being offered in ALPN.
  • QUIC connection reuse was high in our logs โ€” ~17.2 HTTP/3 requests per established connection.
  • In our 24-hour sample, a third of inbound QUIC never completed โ€” only 69% of QUIC connections finished the handshake; the rest is most likely reconnaissance, not malfunction.
  • Within our HTTP/3 scan population, PQC-TLS is the majority โ€” 52% of the 128 H3 sites we scanned offered a PQC-hybrid KEX, almost all X25519MLKEM768.
  • The transports past H3 were nearly empty in our scan โ€” MASQUE on 5%, WebTransport on 6% of the H3 sites we observed.
Methodology

Two datasets, two questions

Dataset 1 โ€” Edge flow (first-party). 15,436 requests through pqcrypta-proxy (Jun 29โ€“30, 2026), each tagged with its negotiated protocol token, plus 24 hours of QUIC-listener telemetry: incoming connections, completed handshakes, ALPN results and accept errors. This answers “what does traffic to us look like?”

Dataset 2 โ€” Scan corpus (active scan). 563 unique domains probed with a real QUIC handshake, recording H1/H2/H3 support, QUIC version, TLS version, 0-RTT, MASQUE, WebTransport, and โ€” critically โ€” the TLS key_share group and signature algorithm. This answers “what does the reachable HTTP/3 internet look like?”

Neither is a random sample of the web, and we label which dataset each figure comes from. The value is in watching the same protocols from both ends.

Part 1 ยท First-party edge ยท 48 hours

The shape of traffic at a QUIC edge

15,436
requests analysed (48 h)
25%
HTTP/3 share of all requests
0%
HTTP/2 โ€” the missing middle
17.2
requests per QUIC connection

The most striking result in our logs is the complete absence of HTTP/2 from observed traffic. It is not disabled โ€” it is offered in ALPN and served by the TCP stack โ€” it simply drew no requests over this window. The most plausible explanation: real browsers see Alt-Svc: h3, switch to QUIC and stay there, while everything else hitting the edge is a bot or crawler on HTTP/1.1. In our environment, traffic formed a barbell โ€” multiplexed H3 at one end, keep-alive H1 at the other, nothing in between. We would not claim this holds universally, but it is a clean operational observation worth recording.

Protocol distribution
15,436 requests ยท proxy access log ยท Jun 29โ€“30 2026
0HTTP/2 requests
HTTP/1.1 ยท 11,577 (75%) HTTP/3 ยท 3,860 (25%) HTTP/2 ยท 0 (0%)
QUIC connection lifecycle
24 h ยท QUIC-listener telemetry
Incoming QUIC36Handshake complete25 (69%)Accept timeout (probes)13Other accept error2
Only 69% of inbound QUIC completes โ€” the rest is UDP/443 reconnaissance.

Multiplexing in the wild: one handshake, ~17 requests

Across 24 hours, 431 HTTP/3 requests rode just 25 established QUIC connections. A single hybrid-PQC handshake is amortised across roughly seventeen multiplexed requests, with stream independence removing head-of-line blocking between them.

Connection reuse โ€” 1 handshake fans out into ~17 multiplexed requests
X25519MLKEM768 handshake (left) โ†’ multiplexed HTTP/3 request streams (right)
1 handshake X25519MLKEM768 17 request streams
Each green endpoint is an independent HTTP/3 request stream multiplexed over the same QUIC connection.

Where the H3 traffic goes

HTTP/3 requests by host
48 h ยท top hosts
pqpdf.com1,841api.pqcrypta.com1,645pqcrypta.com361stlweb.dev (+sub)18fated.org (+www)6
The profile is exactly what QUIC excels at โ€” many small, latency-sensitive API and telemetry calls over persistent connections (POST /api.php, /analytics/web/heartbeat).

WebTransport: built, advertised, and waiting. Our WebTransport endpoint is fully wired and origin-checked, yet over a seven-day window the only sessions came from a known measurement scanner. There is no organic WebTransport traffic to study yet โ€” we are provisioned ahead of demand, which is the right place to be.

Part 2 ยท Active scan ยท 563 domains

A 563-domain snapshot of the HTTP/3 internet

563
unique domains scanned
22.7%
support HTTP/3 (128 sites)
111
H3 sites on TLS 1.3
12
still on QUIC draft-29
Grade distribution (563 domains)
A++ = HTTP/3 + PQC-hybrid TLS; F = no QUIC at all
F399A+76A44C36A++8
The long tail of the web still has not deployed QUIC.
QUIC version among H3 sites
128 HTTP/3 sites
128H3 sites
QUIC v1 (RFC 9000) ยท 69 RFC 9114 (H3) ยท 47 draft-29 ยท 12
Who serves HTTP/3
Server header among 128 H3 sites
Cloudflare71(none)15nginx12pqcrypta8Google / other8
Cloudflare accounted for over half of the HTTP/3 sites in our scan.
Frontier feature adoption
Share of 128 H3 sites
0-RTT resumption34% (44)WebTransport6% (8)MASQUE CONNECT-UDP5% (7)
0-RTT has real uptake; MASQUE and WebTransport are barely deployed.
Part 3 ยท The post-quantum TLS frontier

Within our scan population, PQC-TLS is already the majority

This is where operating a PQC edge and scanning for PQC pays off: our scanner reads the TLS key_share group and signature directly from each handshake โ€” actual protocol analysis, not a header check. Among the 128 HTTP/3 sites we scanned, post-quantum TLS is no longer a rarity โ€” a majority of them offered a PQC-hybrid key exchange.

HTTP/3 sites offering PQC-hybrid key exchange
66 of 128 H3 sites
51.6%of the H3 sites we scanned offer a PQC hybrid KEX
Within our scan population, a majority of HTTP/3 sites negotiate a quantum-resistant key exchange.
Which PQC group won
Among PQC-hybrid H3 sites
X25519MLKEM76864x25519_kyber768 (legacy)2
Among the PQC sites in our scan, the IETF-standard X25519MLKEM768 (FIPS 203) dominates; pre-NIST Kyber is a rounding error. The PQC signature we observed is ML-DSA-44 (94 observations).
PQC-hybrid adoption by server vendor
Count of sites advertising a hybrid KEX
(self-hosted, no header)23Cloudflare21nginx14pqcrypta8Caddy / Kestrel / other8
A CDN giant plus a surprisingly broad base of self-hosters who rebuilt nginx/Caddy against an ML-KEM-capable TLS library.

Our own edge as ground truth

All eight pqcrypta-operated domains were scanned, and all eight negotiate X25519MLKEM768 + ML-DSA-44 on the wire โ€” earning the only A++ grades in the entire corpus. This cross-check validates the scanner's group/signature parsing against an edge whose configuration we control, and confirms the same suite is offered consistently across both the QUIC (rustls/aws-lc-rs) and TCP (OpenSSL 3.5) stacks.

api.pqcrypta.com      X25519MLKEM768  ML-DSA-44   A++
pqcrypta.com          X25519MLKEM768  ML-DSA-44   A++
pqpdf.com             X25519MLKEM768  ML-DSA-44   A++
fated.org             X25519MLKEM768  ML-DSA-44   A++
stlweb.dev            X25519MLKEM768  ML-DSA-44   A++
office.stlweb.dev     X25519MLKEM768  ML-DSA-44   A++
philibert.stlweb.dev  X25519MLKEM768  ML-DSA-44   A++
philibill.stlweb.dev  X25519MLKEM768  ML-DSA-44   A++
Part 4 ยท A defect this analysis surfaced

When a dashboard lies about your own key exchange

Cross-checking the scanner's view of our own edge against our configuration exposed a real, if cosmetic, inconsistency. Our deployed config set preferred_kem = "x25519_kyber768" โ€” a deprecated pre-NIST name. Because the legacy-pqc build feature is off by default, the parser silently resolved that value to none and fell through to the recommended hybrid order, which begins with X25519MLKEM768. So the wire was always correct (the A++ scan above proves it) โ€” but the startup banner, Prometheus active_kem metric and admin API all reported the deprecated name, contradicting the actual handshake.

The fix (shipped & verified). Config corrected to the canonical X25519MLKEM768; the parser hardened to emit a WARN on any unrecognised preferred_kem instead of silently dropping it; docs corrected. Post-deploy: startup banner, Prometheus metric and a live openssl s_client probe all now agree โ€” Negotiated TLS1.3 group: X25519MLKEM768. The wire never regressed; the reporting now tells the truth.

The lesson generalises: the single most useful finding here โ€” a metric lying about our own key exchange โ€” only surfaced because we scanned our own edge with the same tool we point at the internet. Ground-truth your dashboards against an external observer.

Conclusions

  1. In our deployment, HTTP/2 was vestigial. At this QUIC-first edge, traffic bifurcated into multiplexed H3 (browsers) and keep-alive H1 (machines), with h2 drawing no requests despite being enabled. Other deployments may differ โ€” but it is worth checking your own logs before tuning h2.
  2. QUIC multiplexing delivered โ€” ~17 requests per handshake in our logs โ€” which is exactly why amortising an expensive PQC-hybrid handshake over a long-lived connection is sound.
  3. Budget for UDP reconnaissance. In our sample a third of inbound QUIC never completed; treat incomplete QUIC as a likely recon floor on UDP/443, not malfunction.
  4. Within our scan population, PQC-TLS is the majority. 52% of the HTTP/3 sites we scanned offered a hybrid KEX, dominated by X25519MLKEM768 + ML-DSA-44; legacy Kyber was a rounding error.
  5. The transports past H3 โ€” MASQUE, WebTransport โ€” are built but not yet populated. Being provisioned for them today is a bet on the next phase.
  6. Operate what you measure. Ground-truth your telemetry against an external observer; that is how the config defect above surfaced.

Related reading: QUIC / HTTP3 / WebTransport hardening, the QUIC vs TCP real-world whitepaper, the HTTP/3 scanner, and the pqcrypta-proxy documentation.

Frequently Asked Questions

Why is there no HTTP/2 traffic at the edge?
In our deployment, HTTP/2 is offered in ALPN and served by the TCP stack, but it drew no requests over the measured window. The likely reason: browsers see Alt-Svc: h3 and switch to QUIC, staying on HTTP/3, while everything else (bots, crawlers, sitemap pingers, uptime monitors) speaks HTTP/1.1 with no QUIC stack. Traffic bifurcated into multiplexed H3 and keep-alive H1, leaving the middle protocol empty. We report this as an observation from our logs, not a universal claim.
How many requests does a single QUIC connection carry?
About 17. Over 24 hours, 431 HTTP/3 requests rode 25 established QUIC connections โ€” roughly 17.2 per connection. One relatively expensive X25519MLKEM768 handshake is amortised across many multiplexed requests, the core efficiency premise of HTTP/3 realised in practice.
Has post-quantum TLS actually been deployed on the public internet?
Yes โ€” and within the HTTP/3 population we scanned, it is the majority. Of 128 HTTP/3 sites, 66 (52%) advertised a PQC-hybrid key exchange, and 64 of those used the IETF-standard X25519MLKEM768. ML-DSA-44 was the post-quantum signature we observed. Only two sites still exposed the pre-NIST Kyber hybrid. This is our scan corpus, not a random sample of the whole web.
What share of inbound QUIC connections are scanners?
Roughly a third. Of 36 incoming QUIC connections in 24 hours, only 25 completed the handshake; 13 died as accept-timeout errors โ€” UDP Initials that fingerprint the listener but never finish. Budget for this reconnaissance floor on UDP/443.
Is WebTransport seeing real traffic yet?
Not yet. WebTransport is fully wired, origin-checked and routed, but over a seven-day window the only sessions came from a known measurement scanner. Across the full scan corpus, only 8 of 128 HTTP/3 sites advertise WebTransport and 7 advertise MASQUE CONNECT-UDP. These transports are built but not yet populated.