Browser makers slowly strangling weak RC4 cipher

By on
Browser makers slowly strangling weak RC4 cipher
Ron Rivest. Source:

Ancient encryption can be broken "within hours".

The Mozilla Foundation will join fellow browser makers Microsoft and Google to disable the weak RC4 cipher in the upcoming 4.4 version of its Firefox web browser.

RC4 was created by Ron Rivest, one of the founders of RSA Security, in 1987. Although never officially released by RSA, it was leaked to an internet newsgroup in 1994 and, thanks to its simplicity, speed and efficiency, rapidly became popular among vendors.

Several successful attacks against RC4 have been developed in recent years, and browser developers have responded by winding down support for the cipher protocol. Current Internet Engineering Task Force (IETF) best practice advises website admins and browser developers against negotiating RC4 ciphers when establishing secure connections.

Over the weekend, Mozilla engineer April King said Firefox version 36 turned RC4 into a fallback only cipher as a first step towards deprecating the protocol back in February.

RC4 is currently only used in 0.08 percent of Transport Layer Security (TLS) transactions, thanks to the changes. 

Users who wish to turn off RC4 completely can switch off the fallback option to the older protocol by switching the security.tls.unrestricted_rc4_fallback setting on the about:config page in Firefox to false.

Earlier this month, Microsoft said it would dump RC4 by next year.

Although the old protocol is built into the new Edge web browser that debuted in Windows 10, as well as in the existing Internet Explorer 11, RC4 was only used when negotiating downwards from the newer TLS 1.2 or 1.1 protocols to 1.0.

Such protocol fallbacks were mainly due to configuration errors, but they are indistinguishable from man-in-the-middle data interception attacks, wrote Microsoft's Edge Team program manager for customer experience, Alex Oot.

Google security engineer Adam Langley also said the company intends to drop support for RC4 by January or February next year in the stable version of its Chrome web browser.

Apart from sites that are required to support the older Internet Explorer 6 web browser, the decision to retire RC4 isn't expected to cause headaches for server operators.

Langley noted that in September this year, just 0.13 percent of HTTPS connections made by Chrome users who had opted in for data statistics collection used RC4, according to Google statistics.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?