← Knowledge base

Firefox

Is PQC enabled? — quick check

Chrome / Edge / Brave (DevTools — fully local)

# 1) Open a TLS 1.3 site you trust (your own, or any HTTPS host).
# 2) Press F12 → Security tab → click the origin under "Main origin".
# 3) Read "Connection" — it lists the negotiated key exchange group by name.
#
# Capability flag (offline):  chrome://flags#enable-tls13-kyber
# (renamed enable-tls13-mlkem in Chrome 131+)

Expected when PQC is ON

Connection - protocol: TLS 1.3,
  key exchange group: X25519MLKEM768,
  cipher: AES_256_GCM

What you'll see when PQC is OFF

Connection - protocol: TLS 1.3,
  key exchange group: X25519,
  cipher: AES_256_GCM

DevTools reads the negotiated group from the live connection state in the renderer — no network call leaves the page. Firefox: about:config → security.tls.enable_kyber = true; Safari has no PQ in WebKit yet.

Firefox 132 (Oct 2024) added X25519MLKEM768 behind a flag. Firefox 135 (Feb 2025) enabled it by default for Release. NSS — the TLS library shared with Thunderbird and other Mozilla products — gained the same support.

How to check

  1. Open about:config.
  2. Look up security.tls.enable_kyber (legacy name, kept for compatibility).
  3. It should be true on Firefox 135+.

Force-enable on older builds

If you're on an enterprise ESR or older Release: set security.tls.enable_kyber = true. Restart the browser.

Verify the negotiation

Visit pq.cloudflareresearch.com or run CheckPQC on your browser.

References

Run the check on your browser →