Back
-
Solutions
Back
Digital Trust for:
Enterprise IT, PKI & Identity
Code & Software
Documents & Signing
IoT & Connected Devices
Manage PKI and Certificate risk in one place
Streamlined Certificate
Management and Automation:
Delivering At-Scale Uptime and Availability
Secure, update, monitor and control connected devices at scale
DOWNLOAD NOW - Buy
-
Insights
Back
Digital Trust for the Real World
Explore these pages to discover how DigiCert is helping organizations establish, manage and extend digital trust to solve real-world problems.
Ponemon Institute Report
See what our global post-quantum study uncovered about where the world stands in the race to prepare for quantum computing.
LEARN MORE >
-
Partners
Back
- Support
- Contact us
- Language
Announcements
09-09-2015
Elizabeth Baier
Major Browsers Announce RC4 Deprecation in Early 2016
If you haven’t heard already, the Internet Engineering Task Force has determined that stream cipher RC4 should never be used in TLS negotiations. And now Google, Mozilla, and Microsoft have all made announcements to deprecate support for the cipher in future browser releases, which are all slated for early 2016. The browser-related announcements follow years of speculation that RC4 could be broken by cryptologic agencies and even some evidence of weaknesses.
For example, in March, researchers at Imperva’s Application Defense Center found a way to leverage a 13-year-old vulnerability in the algorithm to recover partial information. In their findings the researchers stated, “The security of RC4 has been questionable for many years.”
It has been considered a security best practice for admins to disable RC4 in server and app configurations and for users to disable RC4 in their browsers. Now three major browsers are taking action to end use for the cipher suite once and for all.
What This Means for Users and Admins
This deprecation means that the browser will no longer connect to servers that require RC4. This shouldn’t be a huge issue because Google estimates from their data that only .13% of HTTPS connections currently use RC4. Only .05% of Firefox Beta users connect over RC4. Microsoft didn’t give an exact number, but said that there are only a small number of servers IE users encounter.
If applicable, admins should fix unsecure web services that depend on RC4 and disable support to avoid a disruption for users in coming months.
Admins can check to see if RC4 is currently enabled on their server by using DigiCert’s Certificate Inspector. This tool scans all certificates for certificate-related and endpoint vulnerabilities, including RC4 cipher. Certificate Inspector gives a warning if there are any discovered weaknesses, suggests a solution, and allows you to retest after you implement AEAD cipher suites.
If you need any additional assistance with disabling RC4, please feel free to contact DigiCert Technical Support at support@digicert.com.
-
The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.
-
-
© 2024 DigiCert, Inc. All rights reserved.
Legal Repository Audits & Certifications Terms of Use Privacy Center Accessibility Cookie Settings