Cloudflare Goes Post-Quantum and OpenAI Kills Sora in the Same Week

This week felt like two parallel universes colliding: one where infrastructure teams are preparing for quantum computers that don't exist yet, and another where a consumer product launched six months ago is already dead.

Cloudflare ships post-quantum IPsec you can actually use

Cloudflare made post-quantum encryption generally available for IPsec tunnels this week, and the interesting part isn't the crypto—it's that they validated interoperability with Cisco and Fortinet hardware you probably already own. That means you can protect your WAN against harvest-now-decrypt-later attacks today using branch routers sitting in your closet.

The implementation uses hybrid ML-KEM key agreement during the IKEv2 IKE_INTERMEDIATE phase, combining classical and post-quantum schemes in a single handshake. It follows RFC 9370 and a draft IETF spec that's still evolving, but Cloudflare went ahead and shipped it anyway because waiting for final ratification means waiting for adversaries to start stockpiling encrypted traffic.

The threat model here is straightforward: an attacker captures your encrypted IPsec traffic now, stores it, and waits five or ten years for quantum computers powerful enough to break elliptic-curve crypto. By the time that happens, your secrets from 2026 might still matter—credentials, API keys, architecture diagrams, financial records. Hybrid post-quantum schemes hedge against that future by adding a lattice-based key exchange that even theoretical quantum algorithms can't crack.

What makes this release notable is Cloudflare validated it with third-party vendors. Most post-quantum announcements are vaporware demos between lab machines. This one works with production Cisco and Fortinet devices right now, which means enterprises can actually deploy it instead of waiting for a forklift hardware refresh.

OpenAI shut down Sora after six months

OpenAI discontinued the Sora web and app experiences on April 26—less than half a year after launch—and the API follows in September. The company is letting users export their generated videos via a sunset page, but that's it. No migration path, no pivot to a different product, just a clean shutdown.

This is the kind of product death that makes you wonder what the internal post-mortem looked like. Sora was positioned as a breakthrough in video generation, demoed to press and creators with carefully curated examples, and then… it just didn't find a market. Usage must have been abysmal. OpenAI doesn't kill products lightly; they're resource-constrained and every engineering hour counts. If Sora had even marginal traction, they'd keep the lights on.

The API deprecation timeline is interesting: six more months for developers who integrated it. That's longer than the consumer product lasted, which suggests there was some enterprise usage, just not enough to justify the infrastructure cost of training and serving a video diffusion model at scale.

It also raises questions about OpenAI's broader product strategy. They're rumored to be working on their own smartphone focused on AI agents, and they just updated their Microsoft cloud deal to allow serving products via Google and other providers. If you're diversifying cloud infrastructure and building hardware, you probably don't have the bandwidth to maintain a low-usage video API.

The CVE patches nobody celebrates but everyone needs

Cloudflare also pushed emergency WAF rules this week for CVE-2026-41940, a critical authentication bypass in cPanel & WHM that lets unauthenticated attackers gain admin access to web hosting control panels. The same release included protections for CVE-2026-33057 (a remote code execution bug in Mesop), CVE-2026-20079 (Cisco Secure Firewall Management Center), and CVE-2026-21643 (FortiClient EMS).

These aren't glamorous stories. Nobody writes blog posts titled "We Deployed a WAF Rule Today." But if you run any kind of multi-tenant hosting infrastructure or enterprise VPN, these patches are the difference between a quiet Wednesday and a weekend spent rebuilding from backups.

The cPanel bypass is particularly nasty because it affects the session validation logic—the kind of bug that's trivial to exploit once you know it exists. Cloudflare's WAF team shipped a blocking rule within hours of disclosure, which is the unsexy infrastructure work that keeps the internet from catching fire.

What this week actually means

The through-line here is infrastructure staying ahead of threats while product bets fail fast. Cloudflare is hedging against quantum computers that won't exist for years. OpenAI shut down a product that didn't work after six months. Both are rational decisions, but they reflect wildly different time horizons and risk appetites.

Post-quantum crypto is a long game. You deploy it now because reversing the decision later is impossible—once someone has your encrypted traffic, they have it forever. Consumer AI products are the opposite: if they don't find product-market fit in a few quarters, the compute cost alone will kill you.

The other quiet detail: OpenAI's status page shows GPT-5.5 rolling out to all paid users this week, and ChatGPT workspace connectors had write actions accidentally disabled. Both got resolved without much fanfare. That's the operational reality of running LLM infrastructure at scale—something always breaks, you fix it, and nobody remembers unless it's down for hours.