Quantapact — TLS, Cert Hygiene & HNDL Scanner

Live HNDL grade + supply-chain change detection + cert hygiene. Flags new third-party scripts (Polyfill.io-style) instantly.

Quantapact is a daily-driver security extension for every HTTPS site you visit. The toolbar badge shows the grade at a glance; the popup answers four high-value security questions other tools don't combine in one place. THE FOUR KILLER SIGNALS 1. SUPPLY-CHAIN CHANGE DETECTION — Quantapact remembers every third-party script loaded on each site you visit. The instant a NEW script appears on a site you've visited before (Polyfill.io / SolarWinds-style supply-chain compromise), the popup flags it in red. Nothing else does this in real time, from the browser, for free. 2. LIVE PROGRESSIVE SCAN — when you open the popup, you watch each probe complete in real time: TLS handshake, certificate chain, cipher class, CT log query, key reuse history, email security, HTTP headers. SSL Labs-style per-component progress, not a fake-loading spinner. The score lands when the slowest probe finishes (usually 3-15 seconds). 3. HARVEST-NOW-DECRYPT-LATER (HNDL) GRADE — every HTTPS site gets a Decryption Blast Radius score (0-10, A-F). The continuous score that quantifies "how much past and future traffic unlocks if an adversary captures one handshake today and decrypts it post-quantum." Continuous, not a yes/no checkbox like every other PQC tool. 4. CERT HYGIENE + KEY PERSISTENCE + SECURITY HEADERS + EMAIL AUTH — cert expiry tracking (with lifetime-aware logic — Let's Encrypt 14-day rotation reads as best practice, not "expiring"), wildcard discipline, the Quantapact-unique "your cert rotated but the same private key kept signing it" signal (Heartbleed / SolarWinds lesson), HSTS / CSP / X-Frame-Options / Referrer-Policy / Permissions-Policy, plus DMARC / SPF / DKIM at the domain level. At-a-glance vs DevTools squinting. SUPPLY CHAIN TAB For every third-party script the active page loads: • NEW pill since last visit — red flag, supply-chain compromise detector • Vendor categorization — "Google Tag Manager · analytics", "Adobe Fonts · fonts", etc. Unknown hosts get a heuristic category like "cdn (inferred)" • SRI status — ✓ integrity hash present, or 🔓 missing (vendor can swap code silently) • Site-wide CSP enforcement verdict — strict / weak (uses unsafe-inline or wildcards) / absent • HNDL grade for each vendor — vendor crypto hygiene • Click any row to expand a compact drill-down with top findings, or open the full /r/<vendor> report in a new tab Real-world example: when Polyfill.io was compromised in 2024 (sold to a hostile party, malware injected), Quantapact's NEW pill would have caught it on the first affected page load — every site loading polyfill.io would have seen the script flagged immediately. WHAT THE TOOLBAR BADGE MEANS A letter grade A-F for the active tab's domain. Green A = low exposure. Red F = bad across the board. Hover for context. Click for the full popup. PERMISSIONS EXPLAINED (READ THIS) Chrome's install dialog mentions "Read and change all your data on the websites you visit." Here's what that means in practice: • The extension's content script runs on every HTTPS page and reads the src/href attribute values of <script>, <link>, and <iframe> elements, plus the page's Content-Security-Policy header. This is what enables the supply-chain change detection. • That's the only use. We do NOT read page text, form values, cookies, localStorage, passwords, or any DOM dataoutside of those specific element attributes. • The same warning appears for every URL-aware security extension (Wappalyzer, Privacy Badger, uBlock Origin) — it's the only Chrome permission that lets a security extension see what's actually loading on a page. WHAT THE EXTENSION DOES NOT TOUCH • Page text content — no innerText / innerHTML access • URL paths and query strings — only hostname + script src attributes • Cookies (no cookies permission requested) • localStorage / sessionStorage of the page (no permission requested) • Form data — no access to logins, passwords, payment fields • Browsing history (no history API) • Other tabs (only the active tab via activeTab + content scripts on visited pages) • Identity / sign-in state (no auth) NO TELEMETRY. NO ACCOUNTS. NO TRACKING. Outbound requests go only to quantapact.com/api/scan and quantapact.com/api/scan-stream to fetch grades. Cached aggressively. The same public API anyone can call directly with `npx pqcheck domain.com`. Open source — search for tabs.onUpdated to see exactly what's done with each URL. OPEN METHODOLOGY Every part of the scoring rubric is published openly. Cite-worthy. No black-box scoring like the vendor-risk competitors. • Methodology library: quantapact.com/methodology • Schema (committable to your repo): quantapact.com/schemas/qxm/v1 • Source code in the public repo WHO THIS IS FOR Security engineers, devsecops, vendor-risk teams, and anyone investigating the cryptographic posture of sites their organization depends on. Useful daily for cert-expiry-aware sysadmins; uniquely valuable for crypto-fluent users who want HNDL visibility no other extension provides — plus real-time alerts when those sites quietly add new third-party scripts. LIMITATIONS WORTH KNOWING • Public-surface only — internal Blast Radius is empirically 12-40× this score • Domain-level scoring — two URLs on the same hostname show the same grade • HTTPS only — http://, chrome://, file://, localhost, and IPv4 literals are not scanned • Some upstream probes occasionally time out for huge volatile domains; rows show a spinner during retry, then a clickable ↻ retry icon if persistently failing • Grade reflects HNDL Blast Radius + cert hygiene contributors — it is NOT a verdict on XSS protection, auth posture, or general site safety Free forever. Open methodology. No accounts. Part of the Quantapact public-utility scanner.