Starting this week, the RC4 cipher is disabled in Edge (Windows 10) and Internet Explorer 11 (Windows 7 and newer), bringing Microsoft’s browsers in line with Chrome and Firefox.
Around for almost 30 years, RC4 has been widely supported by online services and web applications, but it has been deemed vulnerable multiple times. Microsoft revealed plans to sunset RC4 in September last year, only a few months after researchers found a new attack method and demonstrated that RC4 attacks are increasingly practical and feasible.
On Tuesday, Microsoft released its August 2016 set of security patches, among which it slipped KB3151631, an update that disables RC4 in said browsers. The most recent versions of Chrome and Firefox also deprecated the cipher, and Edge and IE11 are now aligned with them.
“Modern attacks have demonstrated that RC4 can be broken within hours or days. The typical attacks on RC4 exploit biases in the RC4 keystream to recover repeatedly encrypted plaintexts. In February 2015, these new attacks prompted the Internet Engineering Task Force to prohibit the use of RC4 with TLS,” Brent Mills, Senior Program Manager, Windows Experience, explains in a blog post.
Before this week, Edge and IE11 allowed RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0. While a fallback is usually the result of an innocent error, it cannot be distinguished from a man-in-the-middle attack, and this is why popular web browsers have disabled it.
The change, however, is expected to have little impact on the experience that most users receive when browsing the Internet. There is only a very small number of insecure web services that support only RC4, and it is continuously shrinking.
System admins with web services that rely on RC4, on the other hand, should take action. According to Mills, they should enable TLS 1.2 in their services and remove support for RC4.
To have RC4 disabled in Internet Explorer 11 and Microsoft Edge in Windows 10, users should install either KB3176492 Cumulative update for Windows 10: August 9, 2016, or KB3176493 Cumulative update for Windows 10 Version 1511: August 9, 2016, Microsoft explains.
Released in January this year, Firefox 44 dropped support for RC4, in addition to providing users with various other security improvements. Starting in June, Google removed support for the cipher from its SMTP servers and from Gmail’s web servers.
In a SecurityWeek column last year, F5 Networks evangelist David Holmes explained that one of the main reasons behind RC4’s success was its simplicity. “To misty-eyed old-timers like myself and many others, the simplicity of RC4 was its greatest appeal. And perhaps the simplicity of the newer stream ciphers such as ChaCha will be what drives their adoption moving forward,” he said.
