If you haven’t heard already, the Internet Engineering Task Force has determined that stream cipher RC4 should never be used in TLS negotiations. And now Google, Mozilla, and Microsoft have all made announcements to deprecate support for the cipher in future browser releases, which are all slated for early 2016. The browser-related announcements follow years of speculation that RC4 could be broken by cryptologic agencies and even some evidence of weaknesses.
For example, in March, researchers at Imperva’s Application Defense Center found a way to leverage a 13-year-old vulnerability in the algorithm to recover partial information. In their findings the researchers stated, “The security of RC4 has been questionable for many years.”
It has been considered a security best practice for admins to disable RC4 in server and app configurations and for users to disable RC4 in their browsers. Now three major browsers are taking action to end use for the cipher suite once and for all.
What This Means for Users and Admins
This deprecation means that the browser will no longer connect to servers that require RC4. This shouldn’t be a huge issue because Google estimates from their data that only .13% of HTTPS connections currently use RC4. Only .05% of Firefox Beta users connect over RC4. Microsoft didn’t give an exact number, but said that there are only a small number of servers IE users encounter.
If applicable, admins should fix unsecure web services that depend on RC4 and disable support to avoid a disruption for users in coming months.
Admins can check to see if RC4 is currently enabled on their server by using DigiCert’s Certificate Inspector. This tool scans all certificates for certificate-related and endpoint vulnerabilities, including RC4 cipher. Certificate Inspector gives a warning if there are any discovered weaknesses, suggests a solution, and allows you to retest after you implement AEAD cipher suites.
If you need any additional assistance with disabling RC4, please feel free to contact DigiCert Technical Support at firstname.lastname@example.org.