How to block the insecure RC4 cipher in Firefox and Chrome

Martin Brinkmann
Jul 19, 2015
Security
|
25

Whenever you connect to a secure website using Firefox or any other modern browser, negotiations happen in the background that determine what is being used to encrypt the connection.

RC4 is a stream cipher that is currently supported by most browsers even though it may only be used as a fallback (if other negotiations fail) or for whitelisted sites.

Exploits have come to light in recent time that take advantage of weaknesses in RC4 which allow attackers to run attacks in a reasonable time frame, for instance to decrypt web cookies which often contain authentication information.

Mozilla wanted to remove RC4 from Firefox completely initially in version 38 or 39 of the browser but decided against it based on telemetry data. As it stands right now, RC4 won't be disabled in Firefox 39 or 40.

Tip: you can check if your web browser is vulnerable by visiting this RC4 website. If you see red notifications on the page after the text has been conducted it means that it is vulnerable to attacks.

It needs to be noted that other browsers, Google Chrome for instance, are vulnerable as well. Google is apparently also working on dropping RC4 support completely in Chrome

Disabling RC4 in Firefox

Firefox users can turn off RC4 in the web browser completely. It needs to be noted that some secure sites may fail to work after doing so.

firefox disable rc4

  1. Type about:config in the browser's address bar and hit enter.
  2. Confirm you will be careful if you receive a prompt.
  3. Search for RC4 and double-click on the following preferences to set them to false.
  4. security.ssl3.ecdhe_ecdsa_rc4_128_sha
  5. security.ssl3.ecdhe_rsa_rc4_128_sha
  6. security.ssl3.rsa_rc4_128_md5
  7. security.ssl3.rsa_rc4_128_sha

Once you have made the changes reload the test page linked above. You should get connection failure messages instead of warnings when you do that.

If you run into issues connecting to secure sites after making the changes you may need to restore support for RC4. To do that repeat the steps above and make sure the values of the preferences are set to true afterwards.

Disabling RC4 in Chrome

chrome disable rc4

The process is complicated in Chrome as you cannot simply switch a couple of preferences in the web browser to disable RC4 in it.

The only valid option is to run Chrome with command line parameters that block RC4. Here is how this is done (instructions for Windows).

  1. Right-click on the Chrome shortcut in the taskbar of the operating system, and right-click again on Chrome, and select properties from the context menu that opens up.
  2. This should open the properties of the executable file.
  3. Add --cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007 as a parameter to the end of the Target line. Make sure there is a space in front of the parameter.
  4. The target line looks like this on my computer after adding the parameter: C:\Users\Martin\AppData\Local\Chromium\Application\chrome.exe --cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007
  5. Note: yours will vary based on your username and the version of Chrome you have installed.

The command adds RC4 to the cipher blacklist so that it won't be used by the browser. If you rerun the test, you will notice that it will fail (which is good).

Summary
How to block the insecure RC4 cipher in Firefox and Chrome
Article Name
How to block the insecure RC4 cipher in Firefox and Chrome
Description
Find out how to block the insecure RC4 cipher that may be used to establish secure connections in Chrome and Firefox.
Author
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Anonymous said on January 7, 2016 at 12:01 pm
    Reply

    i use chrome 64bit in windows 10 when i add this –cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007 and click apply see error, what i do?

  2. Bernd Pfeiffer said on December 30, 2015 at 12:19 am
    Reply

    Dec 30 2015:
    The Stock Browser in Android 5.1.1 also appears to have RC4 (4 Suites) still enabled. Hopefully this gets fixed with the “concertated” Campaign to drop it finally.
    Also, the IE11 Browser within Windows 8.1 Mobile has not yet been fixed (it still supports SSLv3, in TLS1 all the known Vulnerability Issues have not yet been fixed/mitigated, including RC4 being usable)

  3. Richard Allen said on July 25, 2015 at 9:45 am
    Reply

    Great info as usual. Did this not to long ago and I also have not had any issues with any websites, at least to this point. ;)

  4. webfork said on July 21, 2015 at 5:52 pm
    Reply

    The reason companies keep old encryption is because they have server farms that are setup with hardware that does just one thing (in this case, RC4 acceleration). It’s expensive and time consuming to switch to something else so the rationale is “it’s secure *enough*”. However, if clients and support cases created by users increasingly stack up against it, the switch will accelerate.

    Thanks for posting about this.

  5. A different Martin said on July 20, 2015 at 11:36 pm
    Reply

    Just FYI, my Internet Explorer 11 x64 tested as insecure. (I never use it, so I don’t care.) Both my Firefox x86 and Pale Moon x64 installs tested as secure, possibly as a result of actions I took in the wake of the last big insecure protocol scare (a couple of months ago?). I uninstalled Google Chrome some time ago, so I don’t have to bother with it.

  6. Andy said on July 20, 2015 at 5:54 pm
    Reply

    I don’t see it mentioned in the article, but I’m running Firefox 41, and RC4 is disabled by default.

  7. Hans van Aken said on July 20, 2015 at 4:34 pm
    Reply

    @ Hy (unfortunately there was no “Reply”-Button in your comment).
    Thanks a lot for your hint to the addon ssleuth, installed it.
    I think it gives the possibility to leave the about:config-settings as they are
    (all RC4-entries “true”) and set ssleuth to disable RC4 Suites by right-clicking
    the adress-bar button, so it should be possible to enable RC4 only when it’s needed.
    Thank you, Hy! And many thanks to Martin for the great article.

    1. Hy said on July 20, 2015 at 7:17 pm
      Reply

      You’re very welcome! :)

      1. Tommy said on July 21, 2015 at 5:15 am
        Reply

        Also big thanks from me as well Hy, SSLeuth is a fine addon for Firefox and i did not know of it before, cheers!

  8. wybo said on July 20, 2015 at 12:35 pm
    Reply

    Thanks for this Martin.

    Done and dusted.

  9. Xi said on July 20, 2015 at 6:14 am
    Reply

    How to block RC4 in Opera 12.17?

    1. Castor/Pollux said on July 20, 2015 at 8:44 am
      Reply

      In Opera 12 go to: Settings > Preferences > Advanced > Security > Security Protocols > Details
      Look for entries with RC4 in them.
      Uncheck.
      Reload the test page.
      You should be OK now.

  10. michaelpaul said on July 20, 2015 at 12:26 am
    Reply

    I have done exactly what Martin suggests about a month ago ,have not
    had any issues with sites ,So Firefox dump this crap
    is not needed just unnecessary problems to be !
    Thank Martin
    Always has great suggestions ..and fixes

  11. Tom Hawack said on July 19, 2015 at 11:23 pm
    Reply

    I’ve tested on Firefox several ssl sites with the insecure RC4 cipher disabled and no problem up to now. I’m not using EFF’s HTTPS Everywhere add-on but I imagine doing so could maybe lead to connection failures…
    Thanks again for the quick info, Martin. Nothing is too quick when security is concerned.

  12. anonymous said on July 19, 2015 at 10:56 pm
    Reply

    This add on will handle RC4 for you among other things: https://addons.mozilla.org/en-us/firefox/addon/calomel-ssl-validation/

    1. Arnauld said on July 20, 2015 at 10:35 am
      Reply

      what should I tick in this addon to disable rc4 ?

      thank you

      1. arnauld said on July 21, 2015 at 8:53 am
        Reply

        ok, thanks Hy

      2. A different Martin said on July 21, 2015 at 6:15 am
        Reply

        FYI: SSleuth works with the current release of Firefox but not with the current release of Pale Moon. Calomet works with Pale Moon.

      3. Hy said on July 20, 2015 at 2:06 pm
        Reply

        Actually, there is nothing specific to tick in the Calomel addon because Calomel cannot be set to disable insecure RC4 cipher suites only.

        A much better addon to replace Calomel, and in which you can specifically disable RC4 suites, is SSLeuth: https://addons.mozilla.org/en-us/firefox/addon/ssleuth/

        You can also disable RC4 in the addon CipheFox Secure: https://addons.mozilla.org/en-us/firefox/addon/cipherfox-secure/

  13. Torro said on July 19, 2015 at 9:36 pm
    Reply

    I did the steps you mentioned, Martin, but I still get the fallback vulnerability.

  14. Rollo said on July 19, 2015 at 9:17 pm
    Reply

    Some interesting references from the archlinux wiki:
    https://wiki.archlinux.org/index.php/Chromium_tweaks#Disable_insecure_RC4_cipher

    This is the list of cipher suite I disabled in chromium:

    –cipher-suite-blacklist=0x0001,0x0002,0x0004,0x0005,0x0017,0x0018,0xc002,0xc007,0xc00c,0xc011,0xc016,0xff80,0xff81,0xff82,0xff83,0x0033,0x0039,0x0067,0x006b,0x009e

    The last five (0x0033,0x0039,0x0067,0x006b,0x009e) are blocked in order to avoid the logjam attack, but I’m sorry now I can’t find the link with references…

    In iceweasel/seamonkey I have also these “about:config” entries:
    security.ssl.treat_unsafe_negotiation_as_broken;true
    security.ssl.require_safe_negotiation;true

  15. Fips said on July 19, 2015 at 8:26 pm
    Reply

    security.tls.unrestricted_rc4_fallback; standard boolean false

    steht hier bei mir.
    Demzufolge müsste ich diesen auf true setzen was dann eventuell wieder auswirkungen hat auf sichere seiten

    1. Martin Brinkmann said on July 19, 2015 at 8:36 pm
      Reply

      The way it is configured on your end currently is that RC4 is still enabled on whitelisted sites. If you don’t want that, you need to disable the preferences mentioned in the article.

  16. Fips said on July 19, 2015 at 8:04 pm
    Reply

    Bei mir steht
    SECURE!
    Your browser doesn’t support RC4 by default.
    Fallback test below. If you don’t see a red warning, you’re probably safe.

    Daraus schliesse ich das es unter Nightly 42 soweit alles Passt ohne das ich -Deaktivieren RC4 in Firefox
    gemacht habe
    gruss Fips

    1. Martin Brinkmann said on July 19, 2015 at 8:14 pm
      Reply

      Fips, this is not the case. If you check about:config, you will notice that RC4 is still enabled but that the preference security.tls.unrestricted_rc4_fallback is set to false now.

      The last preference turns off the fallback to RC4 on all sites but sites on a whitelist.

      https://hg.mozilla.org/integration/mozilla-inbound/annotate/3e18d65b28c3/security/manager/ssl/src/IntolerantFallbackList.inc#l160

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.