pqcheck 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +112 -0
- package/bin/pqcheck.js +3 -1
- package/package.json +14 -4
package/README.md
ADDED
|
@@ -0,0 +1,112 @@
|
|
|
1
|
+
# pqcheck
|
|
2
|
+
|
|
3
|
+
> **Public Surface Blast Radius scanner** — find out how much of your data unlocks when quantum decryption arrives.
|
|
4
|
+
|
|
5
|
+
```bash
|
|
6
|
+
npx pqcheck chase.com
|
|
7
|
+
```
|
|
8
|
+
|
|
9
|
+
That's it. No install. Works from any terminal with Node 18+.
|
|
10
|
+
|
|
11
|
+
---
|
|
12
|
+
|
|
13
|
+
## What it does
|
|
14
|
+
|
|
15
|
+
`pqcheck` scans any HTTPS domain and computes its **Decryption Blast Radius Score** — the first continuous metric for harvest-now-decrypt-later (HNDL) risk. Every other TLS scanner answers "is post-quantum cryptography enabled?" with a yes/no. `pqcheck` answers the question that actually matters: *if an adversary harvests this traffic today and decrypts it in 2035, how much past + future data unlocks?*
|
|
16
|
+
|
|
17
|
+
The score combines:
|
|
18
|
+
- **Cipher-class probing** — does the server accept RSA fallback even if it prefers ECDHE?
|
|
19
|
+
- **Certificate chain analysis** — including the intermediate cert (the chain's actual quantum failure point)
|
|
20
|
+
- **Public-key reuse across rotations** — detects when the same private key has been live across multiple cert renewals (often 4+ years at large enterprises)
|
|
21
|
+
- **Subject scale** — wildcard certs and subdomain count multiplying the blast radius
|
|
22
|
+
|
|
23
|
+
## Example
|
|
24
|
+
|
|
25
|
+
```
|
|
26
|
+
$ npx pqcheck chase.com
|
|
27
|
+
|
|
28
|
+
chase.com
|
|
29
|
+
─────────────────────────────────────
|
|
30
|
+
PUBLIC SURFACE BLAST RADIUS: 5.6 / 10 (MEDIUM)
|
|
31
|
+
|
|
32
|
+
Public surface signals:
|
|
33
|
+
• TLS: TLSv1.3 (TLS_AES_128_GCM_SHA256)
|
|
34
|
+
• Hybrid PQC: no
|
|
35
|
+
• Cert expires: in 127 days
|
|
36
|
+
• HSTS: not detected
|
|
37
|
+
• Subdomains: 47 (wildcard cert)
|
|
38
|
+
|
|
39
|
+
Findings:
|
|
40
|
+
[HIGH] Same RSA-2048 key reused for 4.2 years across 3 cert rotations
|
|
41
|
+
[HIGH] ECDHE-only — quantum-vulnerable key exchange
|
|
42
|
+
[MED] Wildcard cert spans 47 subdomains
|
|
43
|
+
|
|
44
|
+
⚠ This is the PUBLIC surface only.
|
|
45
|
+
Internal Blast Radius is typically 12–40× the public score.
|
|
46
|
+
|
|
47
|
+
Plain-English impact:
|
|
48
|
+
If quantum decryption arrives in 2030–2040, harvested traffic from
|
|
49
|
+
chase.com (US banks) would unlock 4.2 years of session data, across
|
|
50
|
+
47 subdomains under one wildcard cert.
|
|
51
|
+
|
|
52
|
+
→ Full report: https://quantapact.com/?check=chase.com
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
## Usage
|
|
56
|
+
|
|
57
|
+
```
|
|
58
|
+
npx pqcheck <domain> Scan and print human-readable report
|
|
59
|
+
npx pqcheck <domain> --json Output raw JSON for piping / scripting
|
|
60
|
+
npx pqcheck --help Show all options
|
|
61
|
+
npx pqcheck --version Show version
|
|
62
|
+
```
|
|
63
|
+
|
|
64
|
+
The `--json` flag is useful for integrating into CI / monitoring tools:
|
|
65
|
+
|
|
66
|
+
```bash
|
|
67
|
+
# In a GitHub Actions workflow:
|
|
68
|
+
SCORE=$(npx pqcheck mybank.com --json | jq '.score')
|
|
69
|
+
if (( $(echo "$SCORE > 7" | bc -l) )); then
|
|
70
|
+
echo "Score regressed above threshold"; exit 1
|
|
71
|
+
fi
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
## Web version
|
|
75
|
+
|
|
76
|
+
Same scanner, browser-friendly UI: **[quantapact.com](https://quantapact.com)**
|
|
77
|
+
|
|
78
|
+
Shareable per-domain reports at `quantapact.com/r/<domain>` — the URL unfurls in Twitter / Slack / LinkedIn with a dynamically-generated card showing the grade.
|
|
79
|
+
|
|
80
|
+
## Public leaderboard
|
|
81
|
+
|
|
82
|
+
Sector rankings updated nightly across:
|
|
83
|
+
|
|
84
|
+
- US Banks (20 peers)
|
|
85
|
+
- US Healthcare Systems (20 peers)
|
|
86
|
+
- Major SaaS / Cloud Platforms (30 peers)
|
|
87
|
+
- US Federal Government (25 peers)
|
|
88
|
+
- Major EU & UK Banks (25 peers)
|
|
89
|
+
- US Defense Contractors (15 peers)
|
|
90
|
+
- Global Automakers (15 peers)
|
|
91
|
+
- Global News & Media (15 peers)
|
|
92
|
+
- US Telecom & ISPs (15 peers)
|
|
93
|
+
- US Airlines (10 peers)
|
|
94
|
+
- UK Government & Public Services (15 peers)
|
|
95
|
+
|
|
96
|
+
→ **[quantapact.com/leaderboard.html](https://quantapact.com/leaderboard.html)**
|
|
97
|
+
|
|
98
|
+
## Methodology
|
|
99
|
+
|
|
100
|
+
The Decryption Blast Radius scoring methodology is fully open and documented at **[quantapact.com/methodology](https://quantapact.com/methodology)**. Citable; methodology paper coming soon.
|
|
101
|
+
|
|
102
|
+
## Privacy
|
|
103
|
+
|
|
104
|
+
`pqcheck` sends the domain you scan to the Quantapact API (so the actual TLS handshake can be performed from the public internet). No other data is sent — no email, no IP-tied identifier, nothing client-side. The server-side `/api/scan` endpoint stores anonymous scan results in a 30-minute cache to avoid duplicate scans of the same domain. See [quantapact.com/privacy](https://quantapact.com/privacy) for full details.
|
|
105
|
+
|
|
106
|
+
## License
|
|
107
|
+
|
|
108
|
+
MIT. © 2026 Quantapact.
|
|
109
|
+
|
|
110
|
+
## Disclaimer
|
|
111
|
+
|
|
112
|
+
`pqcheck` measures only the **public** surface of a domain — what's observable from the open internet. Internal Blast Radius (east-west traffic, internal databases, VPN tunnels, backup pipelines) is typically 12–40× the public score depending on sector. A passing public-surface grade does **not** mean low internal exposure.
|
package/bin/pqcheck.js
CHANGED
|
@@ -7,7 +7,7 @@
|
|
|
7
7
|
// =============================================================================
|
|
8
8
|
|
|
9
9
|
const API_BASE = process.env.PQCHECK_API_BASE || "https://quantapact.com";
|
|
10
|
-
const VERSION = "0.1.
|
|
10
|
+
const VERSION = "0.1.1";
|
|
11
11
|
|
|
12
12
|
const ANSI = {
|
|
13
13
|
reset: "\x1b[0m",
|
|
@@ -137,6 +137,8 @@ function printReport(r) {
|
|
|
137
137
|
}
|
|
138
138
|
|
|
139
139
|
console.log(color("violet", ` → Full report: ${API_BASE}/?check=${encodeURIComponent(r.domain)}`));
|
|
140
|
+
console.log(color("dim", ` → Share this: ${API_BASE}/r/${encodeURIComponent(r.domain)}`));
|
|
141
|
+
console.log(color("dim", ` → Compare two: ${API_BASE}/compare?a=${encodeURIComponent(r.domain)}&b=`));
|
|
140
142
|
console.log("");
|
|
141
143
|
}
|
|
142
144
|
|
package/package.json
CHANGED
|
@@ -1,20 +1,29 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "pqcheck",
|
|
3
|
-
"version": "0.1.
|
|
4
|
-
"description": "
|
|
3
|
+
"version": "0.1.1",
|
|
4
|
+
"description": "Decryption Blast Radius scanner — find out how much of your data unlocks when quantum decryption arrives.",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"post-quantum",
|
|
7
7
|
"cryptography",
|
|
8
8
|
"security",
|
|
9
9
|
"tls",
|
|
10
|
+
"ssl",
|
|
10
11
|
"scanner",
|
|
11
12
|
"harvest-now-decrypt-later",
|
|
12
13
|
"hndl",
|
|
13
14
|
"blast-radius",
|
|
14
|
-
"pqc"
|
|
15
|
+
"pqc",
|
|
16
|
+
"quantum",
|
|
17
|
+
"crypto-audit",
|
|
18
|
+
"crypto-inventory"
|
|
15
19
|
],
|
|
16
20
|
"homepage": "https://quantapact.com",
|
|
17
21
|
"bugs": "https://quantapact.com",
|
|
22
|
+
"repository": {
|
|
23
|
+
"type": "git",
|
|
24
|
+
"url": "https://github.com/mzon7/quantapact.git",
|
|
25
|
+
"directory": "cli"
|
|
26
|
+
},
|
|
18
27
|
"license": "MIT",
|
|
19
28
|
"author": "Quantapact",
|
|
20
29
|
"type": "module",
|
|
@@ -25,6 +34,7 @@
|
|
|
25
34
|
"pqcheck": "./bin/pqcheck.js"
|
|
26
35
|
},
|
|
27
36
|
"files": [
|
|
28
|
-
"bin/"
|
|
37
|
+
"bin/",
|
|
38
|
+
"README.md"
|
|
29
39
|
]
|
|
30
40
|
}
|