Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Microsoft, Google, Mozilla to Kill RC4 in Browsers

Microsoft, Google and Mozilla announced on Tuesday their intention to end support for the RC4 stream cipher in their web browsers at the beginning of 2016.

Microsoft, Google and Mozilla announced on Tuesday their intention to end support for the RC4 stream cipher in their web browsers at the beginning of 2016.

RC4 has been around since 1987 and it has been widely supported by online services and web applications. However, researchers have demonstrated on several occasions that the cryptographic algorithm is plagued by vulnerabilities that could allow malicious actors to crack it.

A new attack method against RC4-based SSL/TLS communications was disclosed by experts in March. Even more recently, researchers demonstrated that RC4 attacks are increasingly practical and feasible. The experiments they conducted using real devices showed that plaintext recovery attacks targeting the TLS protocol can be successfully carried out in as little as 52 hours.

The Internet Engineering Task Force (IETF) announced in February that TLS clients and servers should never negotiate the use of RC4 when establishing connections. Now, tech giants Microsoft, Google and Mozilla have come to an agreement to completely disable support for RC4 in future versions of their web browsers.

Microsoft says RC4 will be disabled by default in Edge and Internet Explorer starting with early 2016. The company, which has been advising customers to disable RC4 support since 2013, has instructed the owners of web services that rely on RC4 to take steps to prevent any issues.

Currently, Microsoft Edge and Internet Explorer 11 only use RC4 during fallback from TLS 1.2/1.1 to TLS 1.0, which usually happens as a result of “an innocent error,” the company said.

Google plans to disable support for RC4 starting with a version of Chrome that will be released in January or February 2016.

“Measurements show that only 0.13% of HTTPS connections made by Chrome users (who have opted into statistics collection) currently use RC4. Even then, affected server operators can very likely simply tweak their configuration to enable a better cipher suite in order to ensure continued operation,” explained Google’s Adam Langley.

Mozilla says it has been progressively disabling RC4 — starting with Firefox 37, a version released in March 31, RC4 has been partially disabled. The company will completely kill the cipher in late January or early February 2016, likely with the release of Firefox 44.

“Disabling RC4 will mean that Firefox will no longer connect to servers that require RC4. The data we have indicate that while there are still a small number of such servers, Firefox users encounter them at very low rates,” said Mozilla security engineer Richard Barnes.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybercrime

A database containing over 235 million unique records of Twitter users is now available for free on the web, cybercrime intelligence firm Hudson Rock...