Cipherwake — TLS, Cert Hygiene & HNDL Scanner
Live HNDL grade + supply-chain change detection + cert hygiene. Flags new third-party scripts (Polyfill.io-style) instantly.
As of June 2026, Cipherwake — TLS, Cert Hygiene & HNDL Scanner has 3 users in the Developer Tools category.
Usersno change0%
3
3
Ratingno change0%
—
— reviews
Reviewsno change0%
—
Version
0.6.7
Manifest V3
90-day change · In the last 90 days this extension 2 version updates, changed permissions.
History
5 snapshotsTracking since May 12, 2026.
View as table
| Date | Users | Rating | Reviews | Version |
|---|---|---|---|---|
| May 12, 2026 | — | — | — | 0.2.0 |
| May 17, 2026 | — | — | — | 0.2.0 |
| May 31, 2026 | — | — | — | 0.3.14 |
| Jun 6, 2026 | — | — | — | 0.6.7 |
| Jun 20, 2026 | 1 | — | — | 0.6.7 |
| Now | 3 | — | — | 0.6.7 |
Changelog
- May 31, 2026description
Quantapact is a daily-driver security extension for every HTTPS site you visit. The toolbar badge shows the grade at a glance; the popup answers four high-value security questions other tools don't combine in one place. THE FOUR KILLER SIGNALS 1. SUPPLY-CHAIN CHANGE DETECTION — Quantapact remembers every third-party script loaded on each site you visit. The instant a NEW script appears on a site you've visited before (Polyfill.io / SolarWinds-style supply-chain compromise), the popup flags it in red. Nothing else does this in real time, from the browser, for free. 2. LIVE PROGRESSIVE SCAN — when you open the popup, you watch each probe complete in real time: TLS handshake, certificate chain, cipher class, CT log query, key reuse history, email security, HTTP headers. SSL Labs-style per-component progress, not a fake-loading spinner. The score lands when the slowest probe finishes (usually 3-15 seconds). 3. HARVEST-NOW-DECRYPT-LATER (HNDL) GRADE — every HTTPS site gets a Decryption Blast Radius score (0-10, A-F). The continuous score that quantifies "how much past and future traffic unlocks if an adversary captures one handshake today and decrypts it post-quantum." Continuous, not a yes/no checkbox like every other PQC tool. 4. CERT HYGIENE + KEY PERSISTENCE + SECURITY HEADERS + EMAIL AUTH — cert expiry tracking (with lifetime-aware logic — Let's Encrypt 14-day rotation reads as best practice, not "expiring"), wildcard discipline, the Quantapact-unique "your cert rotated but the same private key kept signing it" signal (Heartbleed / SolarWinds lesson), HSTS / CSP / X-Frame-Options / Referrer-Policy / Permissions-Policy, plus DMARC / SPF / DKIM at the domain level. At-a-glance vs DevTools squinting. SUPPLY CHAIN TAB For every third-party script the active page loads: • NEW pill since last visit — red flag, supply-chain compromise detector • Vendor categorization — "Google Tag Manager · analytics", "Adobe Fonts · fonts", etc. Unknown hosts get a heuristic category like "cdn (inferred)" • SRI status — ✓ integrity hash present, or 🔓 missing (vendor can swap code silently) • Site-wide CSP enforcement verdict — strict / weak (uses unsafe-inline or wildcards) / absent • HNDL grade for each vendor — vendor crypto hygiene • Click any row to expand a compact drill-down with top findings, or open the full /r/<vendor> report in a new tab Real-world example: when Polyfill.io was compromised in 2024 (sold to a hostile party, malware injected), Quantapact's NEW pill would have caught it on the first affected page load — every site loading polyfill.io would have seen the script flagged immediately. WHAT THE TOOLBAR BADGE MEANS A letter grade A-F for the active tab's domain. Green A = low exposure. Red F = bad across the board. Hover for context. Click for the full popup. PERMISSIONS EXPLAINED (READ THIS) Chrome's install dialog mentions "Read and change all your data on the websites you visit." Here's what that means in practice: • The extension's content script runs on every HTTPS page and reads the src/href attribute values of <script>, <link>, and <iframe> elements, plus the page's Content-Security-Policy header. This is what enables the supply-chain change detection. • That's the only use. We do NOT read page text, form values, cookies, localStorage, passwords, or any DOM dataoutside of those specific element attributes. • The same warning appears for every URL-aware security extension (Wappalyzer, Privacy Badger, uBlock Origin) — it's the only Chrome permission that lets a security extension see what's actually loading on a page. WHAT THE EXTENSION DOES NOT TOUCH • Page text content — no innerText / innerHTML access • URL paths and query strings — only hostname + script src attributes • Cookies (no cookies permission requested) • localStorage / sessionStorage of the page (no permission requested) • Form data — no access to logins, passwords, payment fields • Browsing history (no history API) • Other tabs (only the active tab via activeTab + content scripts on visited pages) • Identity / sign-in state (no auth) NO TELEMETRY. NO ACCOUNTS. NO TRACKING. Outbound requests go only to quantapact.com/api/scan and quantapact.com/api/scan-stream to fetch grades. Cached aggressively. The same public API anyone can call directly with `npx pqcheck domain.com`. Open source — search for tabs.onUpdated to see exactly what's done with each URL. OPEN METHODOLOGY Every part of the scoring rubric is published openly. Cite-worthy. No black-box scoring like the vendor-risk competitors. • Methodology library: quantapact.com/methodology • Schema (committable to your repo): quantapact.com/schemas/qxm/v1 • Source code in the public repo WHO THIS IS FOR Security engineers, devsecops, vendor-risk teams, and anyone investigating the cryptographic posture of sites their organization depends on. Useful daily for cert-expiry-aware sysadmins; uniquely valuable for crypto-fluent users who want HNDL visibility no other extension provides — plus real-time alerts when those sites quietly add new third-party scripts. LIMITATIONS WORTH KNOWING • Public-surface only — internal Blast Radius is empirically 12-40× this score • Domain-level scoring — two URLs on the same hostname show the same grade • HTTPS only — http://, chrome://, file://, localhost, and IPv4 literals are not scanned • Some upstream probes occasionally time out for huge volatile domains; rows show a spinner during retry, then a clickable ↻ retry icon if persistently failing • Grade reflects HNDL Blast Radius + cert hygiene contributors — it is NOT a verdict on XSS protection, auth posture, or general site safety Free forever. Open methodology. No accounts. Part of the Quantapact public-utility scanner.Cipherwake is a daily-driver security extension for every HTTPS site you visit. The toolbar badge shows the grade at a glance; the popup answers four high-value security questions other tools don't combine in one place. THE FOUR KILLER SIGNALS 1. SUPPLY-CHAIN CHANGE DETECTION — Cipherwake remembers every third-party script loaded on each site you visit. The instant a NEW script appears on a site you've visited before (Polyfill.io / SolarWinds-style supply-chain compromise), the popup flags it in red. Nothing else does this in real time, from the browser, for free. 2. LIVE PROGRESSIVE SCAN — when you open the popup, you watch each probe complete in real time: TLS handshake, certificate chain, cipher class, CT log query, key reuse history, email security, HTTP headers. SSL Labs-style per-component progress, not a fake-loading spinner. The score lands when the slowest probe finishes (usually 3-15 seconds). 3. HARVEST-NOW-DECRYPT-LATER (HNDL) GRADE — every HTTPS site gets a Decryption Blast Radius score (0-10, A-F). The continuous score that quantifies "how much past and future traffic unlocks if an adversary captures one handshake today and decrypts it post-quantum." Continuous, not a yes/no checkbox like every other PQC tool. 4. CERT HYGIENE + KEY PERSISTENCE + SECURITY HEADERS + EMAIL AUTH — cert expiry tracking (with lifetime-aware logic — Let's Encrypt 14-day rotation reads as best practice, not "expiring"), wildcard discipline, the Cipherwake-unique "your cert rotated but the same private key kept signing it" signal (Heartbleed / SolarWinds lesson), HSTS / CSP / X-Frame-Options / Referrer-Policy / Permissions-Policy, plus DMARC / SPF / DKIM at the domain level. At-a-glance vs DevTools squinting. SUPPLY CHAIN TAB For every third-party script the active page loads: • NEW pill since last visit — red flag, supply-chain compromise detector • Vendor categorization — "Google Tag Manager · analytics", "Adobe Fonts · fonts", etc. Unknown hosts get a heuristic category like "cdn (inferred)" • SRI status — ✓ integrity hash present, or 🔓 missing (vendor can swap code silently) • Site-wide CSP enforcement verdict — strict / weak (uses unsafe-inline or wildcards) / absent • HNDL grade for each vendor — vendor crypto hygiene • Click any row to expand a compact drill-down with top findings, or open the full /r/<vendor> report in a new tab Real-world example: when Polyfill.io was compromised in 2024 (sold to a hostile party, malware injected), Cipherwake's NEW pill would have caught it on the first affected page load — every site loading polyfill.io would have seen the script flagged immediately. WHAT THE TOOLBAR BADGE MEANS A letter grade A-F for the active tab's domain. Green A = low exposure. Red F = bad across the board. Hover for context. Click for the full popup. PERMISSIONS EXPLAINED (READ THIS) Chrome's install dialog mentions "Read and change all your data on the websites you visit." Here's what that means in practice: • The extension's content script runs on every HTTPS page and reads the src/href attribute values of <script>, <link>, and <iframe> elements, plus the page's Content-Security-Policy header. This is what enables the supply-chain change detection. • That's the only use. We do NOT read page text, form values, cookies, localStorage, passwords, or any DOM data outside of those specific element attributes. • The same warning appears for every URL-aware security extension (Wappalyzer, Privacy Badger, uBlock Origin) — it's the only Chrome permission that lets a security extension see what's actually loading on a page. WHAT THE EXTENSION DOES NOT TOUCH • Page text content — no innerText / innerHTML access • URL paths and query strings — only hostname + script src attributes • Cookies (no cookies permission requested) • localStorage / sessionStorage of the page (no permission requested) • Form data — no access to logins, passwords, payment fields • Browsing history (no history API) • Other tabs (only the active tab via activeTab + content scripts on visited pages) • Identity / sign-in state (no auth) NO TELEMETRY. NO ACCOUNTS. NO TRACKING. Outbound requests go only to cipherwake.io/api/scan and cipherwake.io/api/scan-stream to fetch grades. Cached aggressively. The same public API anyone can call directly with `npx pqcheck domain.com`. Open source — search for tabs.onUpdated to see exactly what's done with each URL. OPEN METHODOLOGY Every part of the scoring rubric is published openly. Cite-worthy. No black-box scoring like the vendor-risk competitors. • Methodology library: cipherwake.io/methodology • Score weights, probe definitions, and thresholds: cipherwake.io/methodology/score-components • Source code in the public repo: github.com/cipherwakelabs/pqcheck WHO THIS IS FOR Security engineers, devsecops, vendor-risk teams, and anyone investigating the cryptographic posture of sites their organization depends on. Useful daily for cert-expiry-aware sysadmins; uniquely valuable for crypto-fluent users who want HNDL visibility no other extension provides — plus real-time alerts when those sites quietly add new third-party scripts. LIMITATIONS WORTH KNOWING • Public-surface only — internal Blast Radius is empirically 12-40× this score • Domain-level scoring — two URLs on the same hostname show the same grade • HTTPS only — http://, chrome://, file://, localhost, and IPv4 literals are not scanned • Some upstream probes occasionally time out for huge volatile domains; rows show a spinner during retry, then a clickable ↻ retry icon if persistently failing • Grade reflects HNDL Blast Radius + cert hygiene contributors — it is NOT a verdict on XSS protection, auth posture, or general site safety Free forever. Open methodology. No accounts. Part of the Cipherwake public-utility scanner.
- May 31, 2026name
Quantapact — TLS, Cert Hygiene & HNDL Scanner
Cipherwake — TLS, Cert Hygiene & HNDL Scanner
- May 17, 2026description
Quantapact shows you the harvest-now-decrypt-later (HNDL) crypto exposure for every HTTPS site you visit, from two angles in a single popup. WHAT THE BADGE MEANS The toolbar icon shows a letter grade (A-F) for the active tab's domain — based on the site's Decryption Blast Radius score (DBR), a continuous 0-10 number we publish openly at quantapact.com/methodology. A green "A" means low public-surface HNDL exposure. A red "F" means recorded TLS sessions today are likely decryptable when a cryptographically-relevant quantum computer arrives — projected 2030-2040 by NIST IR 8547 and NSA CNSA 2.0. TWO TABS IN THE POPUP SCORE — the active site's grade, the four weighted score components (key exchange, cert lifetime, key persistence, subdomain scale), and the top three findings. One click to the full report on quantapact.com. DEPENDENCIES — every third-party script, stylesheet, and iframe loaded on the active page, each scored individually for HNDL exposure. Click "Scan dependencies" to enumerate them. Scripts from CDNs, analytics providers, auth services, payment processors, etc. are grouped under their parent vendor (e.g., 8 google.com subdomains collapse into one "Google Tag Manager" row). First-party scripts (owned by the site you're visiting) are tagged with a green "first-party" badge. Sort and filter by grade or type. Most security extensions show you whether YOUR site is configured correctly. Quantapact also shows you which of your VENDORS' crypto postures you're inheriting just by loading their JavaScript. PRIVACY (READ THIS) The extension reads two things, and only when you ask: 1. The hostname of the active tab's URL — used to score the top-level site. 2. The href / src attribute values of <script>, <link>, and <iframe> elements on the active page — only when you open the Dependencies tab and click "Scan dependencies." This uses chrome.scripting.executeScript with a small read-only function bundled in the extension. It does NOT read: - Page text content (no innerText / innerHTML access) - Cookies (no cookies permission requested) - localStorage (no permission requested) - Form data (no access to logins, passwords, payment fields) - Browsing history (no history permission) - Other tabs (only the active tab via activeTab) - Identity / sign-in state (no auth) NO TELEMETRY. NO ACCOUNTS. NO TRACKING. Outbound requests go ONLY to quantapact.com/api/scan to fetch grades for the active hostname and for each enumerated third-party host. Cached aggressively: 30 minutes for top-level grades, 24 hours for third-party grades. The same public API anyone can call directly with `npx pqcheck domain.com`. OPEN METHODOLOGY Every part of the scoring rubric is published openly. Cite-worthy. No black-box scoring like the vendor-risk competitors. - Methodology library: quantapact.com/methodology - Schema (committable to your repo): quantapact.com/schemas/qxm/v1 - Source code in the public repo WHO THIS IS FOR Security engineers, vendor-risk teams, and anyone who wants ambient awareness of which sites they trust today have weak post-quantum-cryptography (PQC) posture — plus a real-time view of the third-party crypto exposure they inherit by loading those sites' scripts. LIMITATIONS WORTH KNOWING - Public-surface only — internal Blast Radius is empirically 12-40x this score. - Domain-level scoring — two URLs on the same hostname show the same grade. - HTTPS only — http://, chrome://, file://, localhost, and IPv4 literals are not scanned. - 30-min top-level cache — recent posture changes (e.g. cert rotation) won't show until cache expiry. - Dependencies tab is user-triggered — it does not run automatically; you click Scan when you want it. - Dynamic scripts (loaded via JS after page load) may not be captured if you scan before they load. Refresh the page and re-scan if you suspect missed scripts. - Not a security verdict — a green "A" means low HNDL exposure, not that the site has good XSS protection / CSP / 2FA. This extension is part of the Quantapact public-utility scanner. Free forever, open methodology, no accounts.Quantapact is a daily-driver security extension for every HTTPS site you visit. The toolbar badge shows the grade at a glance; the popup answers four high-value security questions other tools don't combine in one place. THE FOUR KILLER SIGNALS 1. SUPPLY-CHAIN CHANGE DETECTION — Quantapact remembers every third-party script loaded on each site you visit. The instant a NEW script appears on a site you've visited before (Polyfill.io / SolarWinds-style supply-chain compromise), the popup flags it in red. Nothing else does this in real time, from the browser, for free. 2. LIVE PROGRESSIVE SCAN — when you open the popup, you watch each probe complete in real time: TLS handshake, certificate chain, cipher class, CT log query, key reuse history, email security, HTTP headers. SSL Labs-style per-component progress, not a fake-loading spinner. The score lands when the slowest probe finishes (usually 3-15 seconds). 3. HARVEST-NOW-DECRYPT-LATER (HNDL) GRADE — every HTTPS site gets a Decryption Blast Radius score (0-10, A-F). The continuous score that quantifies "how much past and future traffic unlocks if an adversary captures one handshake today and decrypts it post-quantum." Continuous, not a yes/no checkbox like every other PQC tool. 4. CERT HYGIENE + KEY PERSISTENCE + SECURITY HEADERS + EMAIL AUTH — cert expiry tracking (with lifetime-aware logic — Let's Encrypt 14-day rotation reads as best practice, not "expiring"), wildcard discipline, the Quantapact-unique "your cert rotated but the same private key kept signing it" signal (Heartbleed / SolarWinds lesson), HSTS / CSP / X-Frame-Options / Referrer-Policy / Permissions-Policy, plus DMARC / SPF / DKIM at the domain level. At-a-glance vs DevTools squinting. SUPPLY CHAIN TAB For every third-party script the active page loads: • NEW pill since last visit — red flag, supply-chain compromise detector • Vendor categorization — "Google Tag Manager · analytics", "Adobe Fonts · fonts", etc. Unknown hosts get a heuristic category like "cdn (inferred)" • SRI status — ✓ integrity hash present, or 🔓 missing (vendor can swap code silently) • Site-wide CSP enforcement verdict — strict / weak (uses unsafe-inline or wildcards) / absent • HNDL grade for each vendor — vendor crypto hygiene • Click any row to expand a compact drill-down with top findings, or open the full /r/<vendor> report in a new tab Real-world example: when Polyfill.io was compromised in 2024 (sold to a hostile party, malware injected), Quantapact's NEW pill would have caught it on the first affected page load — every site loading polyfill.io would have seen the script flagged immediately. WHAT THE TOOLBAR BADGE MEANS A letter grade A-F for the active tab's domain. Green A = low exposure. Red F = bad across the board. Hover for context. Click for the full popup. PERMISSIONS EXPLAINED (READ THIS) Chrome's install dialog mentions "Read and change all your data on the websites you visit." Here's what that means in practice: • The extension's content script runs on every HTTPS page and reads the src/href attribute values of <script>, <link>, and <iframe> elements, plus the page's Content-Security-Policy header. This is what enables the supply-chain change detection. • That's the only use. We do NOT read page text, form values, cookies, localStorage, passwords, or any DOM dataoutside of those specific element attributes. • The same warning appears for every URL-aware security extension (Wappalyzer, Privacy Badger, uBlock Origin) — it's the only Chrome permission that lets a security extension see what's actually loading on a page. WHAT THE EXTENSION DOES NOT TOUCH • Page text content — no innerText / innerHTML access • URL paths and query strings — only hostname + script src attributes • Cookies (no cookies permission requested) • localStorage / sessionStorage of the page (no permission requested) • Form data — no access to logins, passwords, payment fields • Browsing history (no history API) • Other tabs (only the active tab via activeTab + content scripts on visited pages) • Identity / sign-in state (no auth) NO TELEMETRY. NO ACCOUNTS. NO TRACKING. Outbound requests go only to quantapact.com/api/scan and quantapact.com/api/scan-stream to fetch grades. Cached aggressively. The same public API anyone can call directly with `npx pqcheck domain.com`. Open source — search for tabs.onUpdated to see exactly what's done with each URL. OPEN METHODOLOGY Every part of the scoring rubric is published openly. Cite-worthy. No black-box scoring like the vendor-risk competitors. • Methodology library: quantapact.com/methodology • Schema (committable to your repo): quantapact.com/schemas/qxm/v1 • Source code in the public repo WHO THIS IS FOR Security engineers, devsecops, vendor-risk teams, and anyone investigating the cryptographic posture of sites their organization depends on. Useful daily for cert-expiry-aware sysadmins; uniquely valuable for crypto-fluent users who want HNDL visibility no other extension provides — plus real-time alerts when those sites quietly add new third-party scripts. LIMITATIONS WORTH KNOWING • Public-surface only — internal Blast Radius is empirically 12-40× this score • Domain-level scoring — two URLs on the same hostname show the same grade • HTTPS only — http://, chrome://, file://, localhost, and IPv4 literals are not scanned • Some upstream probes occasionally time out for huge volatile domains; rows show a spinner during retry, then a clickable ↻ retry icon if persistently failing • Grade reflects HNDL Blast Radius + cert hygiene contributors — it is NOT a verdict on XSS protection, auth posture, or general site safety Free forever. Open methodology. No accounts. Part of the Quantapact public-utility scanner. - May 17, 2026short_description
See your full crypto exposure on every HTTPS site: post-quantum (HNDL) grade + third-party scripts.
Live HNDL grade + supply-chain change detection + cert hygiene. Flags new third-party scripts (Polyfill.io-style) instantly.
- May 17, 2026name
Quantapact — Quantum-Decryption Risk
Quantapact — TLS, Cert Hygiene & HNDL Scanner
- May 17, 2026host_permissions
https://www.quantapact.com/*, https://quantapact.com/*
https://*/*
- May 17, 2026permissions
activeTab, storage, scripting
activeTab, tabs, storage, scripting, contextMenus
Permissions & access
- Permissions
- activeTabtabsstoragescriptingcontextMenus
- Host access
- https://*/*
Screenshots
About
Cipherwake is a daily-driver security extension for every HTTPS site you visit. The toolbar badge shows the grade at a glance; the popup answers four high-value security questions other tools don't combine in one place. THE FOUR KILLER SIGNALS 1. SUPPLY-CHAIN CHANGE DETECTION — Cipherwake remembers every third-party script loaded on each site you visit. The instant a NEW script appears on a site you've visited before (Polyfill.io / SolarWinds-style supply-chain compromise), the popup flags it in red. Nothing else does this in real time, from the browser, for free. 2. LIVE PROGRESSIVE SCAN — when you open the popup, you watch each probe complete in real time: TLS handshake, certificate chain, cipher class, CT log query, key reuse history, email security, HTTP headers. SSL Labs-style per-component progress, not a fake-loading spinner. The score lands when the slowest probe finishes (usually 3-15 seconds). 3. HARVEST-NOW-DECRYPT-LATER (HNDL) GRADE — every HTTPS site gets a Decryption Blast Radius score (0-10, A-F). The continuous score that quantifies "how much past and future traffic unlocks if an adversary captures one handshake today and decrypts it post-quantum." Continuous, not a yes/no checkbox like every other PQC tool. 4. CERT HYGIENE + KEY PERSISTENCE + SECURITY HEADERS + EMAIL AUTH — cert expiry tracking (with lifetime-aware logic — Let's Encrypt 14-day rotation reads as best practice, not "expiring"), wildcard discipline, the Cipherwake-unique "your cert rotated but the same private key kept signing it" signal (Heartbleed / SolarWinds lesson), HSTS / CSP / X-Frame-Options / Referrer-Policy / Permissions-Policy, plus DMARC / SPF / DKIM at the domain level. At-a-glance vs DevTools squinting. SUPPLY CHAIN TAB For every third-party script the active page loads: • NEW pill since last visit — red flag, supply-chain compromise detector • Vendor categorization — "Google Tag Manager · analytics", "Adobe Fonts · fonts", etc. Unknown hosts get a heuristic category like "cdn (inferred)" • SRI status — ✓ integrity hash present, or 🔓 missing (vendor can swap code silently) • Site-wide CSP enforcement verdict — strict / weak (uses unsafe-inline or wildcards) / absent • HNDL grade for each vendor — vendor crypto hygiene • Click any row to expand a compact drill-down with top findings, or open the full /r/<vendor> report in a new tab Real-world example: when Polyfill.io was compromised in 2024 (sold to a hostile party, malware injected), Cipherwake's NEW pill would have caught it on the first affected page load — every site loading polyfill.io would have seen the script flagged immediately. WHAT THE TOOLBAR BADGE MEANS A letter grade A-F for the active tab's domain. Green A = low exposure. Red F = bad across the board. Hover for context. Click for the full popup. PERMISSIONS EXPLAINED (READ THIS) Chrome's install dialog mentions "Read and change all your data on the websites you visit." Here's what that means in practice: • The extension's content script runs on every HTTPS page and reads the src/href attribute values of <script>, <link>, and <iframe> elements, plus the page's Content-Security-Policy header. This is what enables the supply-chain change detection. • That's the only use. We do NOT read page text, form values, cookies, localStorage, passwords, or any DOM data outside of those specific element attributes. • The same warning appears for every URL-aware security extension (Wappalyzer, Privacy Badger, uBlock Origin) — it's the only Chrome permission that lets a security extension see what's actually loading on a page. WHAT THE EXTENSION DOES NOT TOUCH • Page text content — no innerText / innerHTML access • URL paths and query strings — only hostname + script src attributes • Cookies (no cookies permission requested) • localStorage / sessionStorage of the page (no permission requested) • Form data — no access to logins, passwords, payment fields • Browsing history (no history API) • Other tabs (only the active tab via activeTab + content scripts on visited pages) • Identity / sign-in state (no auth) NO TELEMETRY. NO ACCOUNTS. NO TRACKING. Outbound requests go only to cipherwake.io/api/scan and cipherwake.io/api/scan-stream to fetch grades. Cached aggressively. The same public API anyone can call directly with `npx pqcheck domain.com`. Open source — search for tabs.onUpdated to see exactly what's done with each URL. OPEN METHODOLOGY Every part of the scoring rubric is published openly. Cite-worthy. No black-box scoring like the vendor-risk competitors. • Methodology library: cipherwake.io/methodology • Score weights, probe definitions, and thresholds: cipherwake.io/methodology/score-components • Source code in the public repo: github.com/cipherwakelabs/pqcheck WHO THIS IS FOR Security engineers, devsecops, vendor-risk teams, and anyone investigating the cryptographic posture of sites their organization depends on. Useful daily for cert-expiry-aware sysadmins; uniquely valuable for crypto-fluent users who want HNDL visibility no other extension provides — plus real-time alerts when those sites quietly add new third-party scripts. LIMITATIONS WORTH KNOWING • Public-surface only — internal Blast Radius is empirically 12-40× this score • Domain-level scoring — two URLs on the same hostname show the same grade • HTTPS only — http://, chrome://, file://, localhost, and IPv4 literals are not scanned • Some upstream probes occasionally time out for huge volatile domains; rows show a spinner during retry, then a clickable ↻ retry icon if persistently failing • Grade reflects HNDL Blast Radius + cert hygiene contributors — it is NOT a verdict on XSS protection, auth posture, or general site safety Free forever. Open methodology. No accounts. Part of the Cipherwake public-utility scanner.
Technical
- Version
- 0.6.7
- Manifest
- V3
- Size
- 96.33KiB
- Min Chrome
- 88
- Languages
- 1
- Featured
- No
Metadata
- ID
- ccfmcocbfomcbpglhanncieiobmgoall
- Developer ID
- uc194d21625bc0d360377f909e7c33f4a
- Developer Email
- [email protected]
- Created
- May 11, 2026
- Last Updated (Store)
- May 30, 2026
- Last Scraped
- Jun 20, 2026
- Website
- —
- Support URL
- https://www.cipherwake.io/feedback
- Privacy Policy
- https://www.quantapact.com/privacy
Data sourced from the Chrome Web Store · last verified Jun 20, 2026.