Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Microsoft, Google, Mozilla to Kill RC4 in Browsers

Microsoft, Google and Mozilla announced on Tuesday their intention to end support for the RC4 stream cipher in their web browsers at the beginning of 2016.

Microsoft, Google and Mozilla announced on Tuesday their intention to end support for the RC4 stream cipher in their web browsers at the beginning of 2016.

RC4 has been around since 1987 and it has been widely supported by online services and web applications. However, researchers have demonstrated on several occasions that the cryptographic algorithm is plagued by vulnerabilities that could allow malicious actors to crack it.

A new attack method against RC4-based SSL/TLS communications was disclosed by experts in March. Even more recently, researchers demonstrated that RC4 attacks are increasingly practical and feasible. The experiments they conducted using real devices showed that plaintext recovery attacks targeting the TLS protocol can be successfully carried out in as little as 52 hours.

The Internet Engineering Task Force (IETF) announced in February that TLS clients and servers should never negotiate the use of RC4 when establishing connections. Now, tech giants Microsoft, Google and Mozilla have come to an agreement to completely disable support for RC4 in future versions of their web browsers.

Microsoft says RC4 will be disabled by default in Edge and Internet Explorer starting with early 2016. The company, which has been advising customers to disable RC4 support since 2013, has instructed the owners of web services that rely on RC4 to take steps to prevent any issues.

Currently, Microsoft Edge and Internet Explorer 11 only use RC4 during fallback from TLS 1.2/1.1 to TLS 1.0, which usually happens as a result of “an innocent error,” the company said.

Google plans to disable support for RC4 starting with a version of Chrome that will be released in January or February 2016.

“Measurements show that only 0.13% of HTTPS connections made by Chrome users (who have opted into statistics collection) currently use RC4. Even then, affected server operators can very likely simply tweak their configuration to enable a better cipher suite in order to ensure continued operation,” explained Google’s Adam Langley.

Advertisement. Scroll to continue reading.

Mozilla says it has been progressively disabling RC4 — starting with Firefox 37, a version released in March 31, RC4 has been partially disabled. The company will completely kill the cipher in late January or early February 2016, likely with the release of Firefox 44.

“Disabling RC4 will mean that Firefox will no longer connect to servers that require RC4. The data we have indicate that while there are still a small number of such servers, Firefox users encounter them at very low rates,” said Mozilla security engineer Richard Barnes.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.