Published on September 3rd, 2015 📆 | 6292 Views ⚑
0Google Chrome, Microsoft Edge and Mozilla Firefox to stop supporting RC4 cipher by 2016
Major browser team up to announce end of support for RC4 cipher by 2016
With a view to make Internet browsing more safer for the users, Google, Microsoft and Mozilla have come to a agreement to stop support for RC4 cryptographic cipher in the companiesâ browsers by early 2016.
RC4 aka Rivest Cipher 4 also known as ARC4 or ARCFOUR is a stream cipher used for cryptography in Internet browsers. While it was remarkably simple and fast,  multiple vulnerabilities have been discovered in it making it most insecure cipher. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used; some ways of using RC4 can lead to very insecure protocols such as WEP.
The browser behemoths have decided to completely stop using RC4 cipher from 2016. âFor Firefox, that means version 44, currently scheduled for release on Jan 26,â noted Mozillaâs Richard Barnes. âThat is, as of Firefox 44, RC4 will be entirely disabled unless a user explicitly enables it through one of the preferences.â
[adsense size='1']
Google on the other hand will push a Chrome update in January or February 2016.âMeasurements show that only 0.13% of HTTPS connections made by Chrome users (who have opted into statistics collection) currently use RC4. Even then, affected server operators can very likely simply tweak their configuration to enable a better cipher suite in order to ensure continued operation,â Googleâs Adam Langley pointed out.
âCurrent versions of Chrome donât advertise support for RC4 on an HTTPS connection unless the first connection attempt fails, so servers that already support a non-RC4 cipher suite will not see any change.â
Microsoft has made the official announcement yesterday. âMicrosoft Edge and Internet Explorer 11 only utilize RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0. A fallback to TLS 1.0 with RC4 is most often the result of an innocent error, but this is indistinguishable from a man-in-the-middle attack. For this reason, RC4 will be entirely disabled by default for all Microsoft Edge and Internet Explorer users on Windows 7, Windows 8.1 and Windows 10 starting in early 2016,â explained Alec Oot, a Program Manager with Microsoft.
[adsense size='1']
Microsoft had intended to deprecate the SHA-1 algorithm in 2013. Internet Explorer does not offer RC4-based cipher suites during the initial TLS/SSL handshake as the first option.
Gloss