Mozilla, Google and Microsoft to remove RC4 support in early 2016

Mozilla, Google and Microsoft have agreed to remove support for the RC4 cipher in Firefox, Chrome, Internet Explorer and Microsoft Edge in early 2016.

Multiple vulnerabilities have been discovered in RC4 in recent time which led to recommendations to avoid use of the cipher at all costs by companies such as Mozilla or Microsoft.

All three companies plan to remove RC4 support from their web browsers in early 2016 and have made an announcement in that regard publicly.

Microsoft announced the upcoming change on the official Microsoft Edge development blog. The company plans to make the change in Microsoft Edge and Internet Explorer 11 but mentioned in the blog post that it will disable RC4 by default for users on Windows 7, Windows 8.1 and Windows 10.

Starting in early 2016, the RC4 cipher will be disabled by-default and will not be used during TLS fallback negotiations.

Google announced the change on the official Chromium forum. The company aims to remove RC4 support in late January or early February 2016.

When Chrome makes an HTTPS connection it has an implicit duty to do what it can to ensure that the connection is secure. At this point, the use of RC4 in an HTTPS connection is falling below that bar and thus we plan to disable support for RC4 in a future Chrome release. That release is likely to reach the stable channel around January or February 2016. At that time, HTTPS servers that only support RC4 will stop working.

According to Google, 0.13% of HTTPS connections that Chrome users make use RC4 and will be affected by the change unless server operators make changes to the configuration to support other ciphers.



Mozilla provided detailed information about the current stage of RC4 in Firefox and plans to remove support for it completely.

Read also:  Greasemonkey Dev posts WebExtensions Design Doc: paints grim picture

firefox rc4 preferences

The organization has disabled RC4 partially in Firefox already. While still allowed in Beta and Release versions, Developer and Nighly versions only support a static whitelist of hosts that require it.

The current proposal posted on Mozilla's Dev Platform group aims to disable RC4 completely in Firefox 44 which will be released to the stable channel on January 26.

Plans are underway to disable the whitelist that Firefox Nightly and Aurora versions make use of as soon as possible.

Unrestricted fallback in Beta and Release versions of Firefox will be replaced by that whitelist when these channels reach version 43. Starting with version 44, RC will be disabled for good in all releases.

Mozilla Firefox users may override this by changing the following preferences:

  • security.tls.unrestricted_rc4_fallback - allows unrestricted fallback to RC4
  • security.tls.insecure_fallback_hosts.use_static_list - only allow RC4 for hosts on the static whitelist
  • security.tls.insecure_fallback_hosts - a list of hosts for which fallback is allowed

Now You: Are you impacted by the change?

Summary
Article Name
Mozilla, Google and Microsoft to remove RC4 support in early 2016
Description
Mozilla, Google and Microsoft announced recently that they plan to remove RC4 support in Firefox, Chrome and Edge / Internet Explorer in early 2016.
Author

Please share this article

Facebooktwittergoogle_plusredditlinkedinmail



Responses to Mozilla, Google and Microsoft to remove RC4 support in early 2016

  1. Tom Hawack September 3, 2015 at 3:20 pm #

    Here I've adopted since Firefox 39 below advised settings (added to my user.js file) and have encountered no issue up to now :

    /* BLOCK INSECURE RC4 CIPHERS (FF-39+) */
    // block rc4 fallback and disable whitelist
    user_pref("security.tls.unrestricted_rc4_fallback", false);
    user_pref("security.tls.insecure_fallback_hosts.use_static_list", false);
    // override rc4 ciphers anyway - these will be deprecated anyway
    user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
    user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
    user_pref("security.ssl3.rsa_rc4_128_md5", false);
    user_pref("security.ssl3.rsa_rc4_128_sha", false);

    I have to rely on advice and backups, topics such as here on GHacks, have everything carefully noted when it comes to ciphers as I don't understand the very meaning unless that they apply to secured connections.

  2. Adithya FRK September 3, 2015 at 4:24 pm #

    I was about to post something but i don't know any s***t about RC4 ;-)

    I just came here to read the comments (Michael Jackson.jpeg)

  3. Ron C. September 7, 2015 at 5:57 pm #

    For those that are security minded, Pale Moon has already disabled RC4 ciphers.

Leave a Reply