Major browser team up to announce end of support for RC4 cipher by 2016

With a view to make Internet browsing more safer for the users, Google, Microsoft and Mozilla have come to a agreement to stop support for RC4 cryptographic cipher in the companies’ browsers by early 2016.

RC4 aka Rivest Cipher 4 also known as ARC4 or ARCFOUR is a stream cipher used for cryptography in Internet browsers. While it was remarkably simple and fast,  multiple vulnerabilities have been discovered in it making it most insecure cipher. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used; some ways of using RC4 can lead to very insecure protocols such as WEP.

The browser behemoths have decided to completely stop using RC4 cipher from 2016. “For Firefox, that means version 44, currently scheduled for release on Jan 26,” noted Mozilla’s Richard Barnes. “That is, as of Firefox 44, RC4 will be entirely disabled unless a user explicitly enables it through one of the preferences.”

Google on the other hand will push a Chrome update in January or February 2016.”Measurements show that only 0.13% of HTTPS connections made by Chrome users (who have opted into statistics collection) currently use RC4. Even then, affected server operators can very likely simply tweak their configuration to enable a better cipher suite in order to ensure continued operation,” Google’s Adam Langley pointed out.

“Current versions of Chrome don’t advertise support for RC4 on an HTTPS connection unless the first connection attempt fails, so servers that already support a non-RC4 cipher suite will not see any change.”

Microsoft has made the official announcement yesterday. “Microsoft Edge and Internet Explorer 11 only utilize RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0. A fallback to TLS 1.0 with RC4 is most often the result of an innocent error, but this is indistinguishable from a man-in-the-middle attack. For this reason, RC4 will be entirely disabled by default for all Microsoft Edge and Internet Explorer users on Windows 7, Windows 8.1 and Windows 10 starting in early 2016,” explained Alec Oot, a Program Manager with Microsoft.

Microsoft had intended to deprecate the SHA-1 algorithm in 2013. Internet Explorer does not offer RC4-based cipher suites during the initial TLS/SSL handshake as the first option.