Web Browser Vendors Agree on End of Support for RC4

Update: 13th September 2016:
Microsoft have since disabled support for the RC4 algorithm in August 2016. They were the final major browser vendor to remove support. I very much welcome this change.

Thank you.

Update: 15th April 2016:
The Microsoft blog post mentioned below has now been updated to include that the RC4 algorithm will now not be disabled in the Microsoft security updates for April 2016 that have now have arrived. No further timelines/deadlines were provided.

In my opinion, I hope that this algorithm is disabled sooner rather than later after it was first considered to no longer be secure enough for use in 2013 it’s removal from active service has already taken too long.

Thank you.

Update: 1st April 2016:
Microsoft in a blog post published in March announced that they would be dropping support for RC4 within Edge and Internet Explorer 11 when the security updates for these products are released on the 12th of April. Within that post Microsoft provide a reference/advice for website administrators to migrate from RC4.

Thank you.

Update: 26th January 2016:
As mentioned within a separate blog post, as scheduled Mozilla removed support for the RC4 algorithm with their release of Firefox 44. Further details are available within that blog post.

Thank you.

Update: 10th January 2016:
Last month when Google made available the beta version of Google Chrome 48; the release notes (see the “Minor changes” section at the end of that post) mentioned that the RC4 cipher would no longer be supported going forward. This fact was reiterated in a later blog post in December announcing the gradual phasing out of SHA-1. This also aligns with Mozilla and Microsoft’s timeline of early 2016.

Further update: On the 20th of January Google made available Chrome version 48 via their Stable release channel making the removal of the RC4 algorithm available to a much wider audience.

Thank you.

Original Post:
Early last week 3 of the top browser vendors, Mozilla, Google and Microsoft announced their joint plans to remove support for the RC4 encryption algorithm used to secure some HTTPS websites in early 2016.

Mozilla currently plans to release Firefox 44 in late January 2016 with Google and Microsoft following suit in February.

Why Is This Change Significant?
As mentioned in Google’s discussion, RC4 is a 28 year old encryption algorithm that has successfully secured connections between servers and client devices during that time. However as I mentioned in a previous blog post and which Google references the same research paper as example 2 (among others), an increasing number of attacks are becoming possible on RC4. Google also mentions the IEFT’s decision stating that RC4 should no longer be used. Since the use of RC4 puts the information that it is attempting to secure at potential (but growing) risk RC4 should no longer be considered fit for purpose. Further background on this upcoming changes is provided in this InfoWorld blog post.

What Can I Do To Prepare For This Change?
For server/website operators, Google and Microsoft make suggestions for upgrading to newer cipher suites.

For web browser users, simply continue to keep your preferred web browser up to date to receive these changes in early 2016.

Update: 24th September 2015: Google have provided more advice and information regarding their transition away from RC4 and SSL v3 in this blog post.

Update: 7th February 2016:
In early 2013 Qualys published a thorough blog post with recommendations on transitioning from RC4.

I hope that the above advice/notice is helpful in preparing for this upcoming change.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.