Major browser makers synchronize end of support for RC4

Mozilla, Google and Microsoft have come to an agreement: support for the increasingly vulnerable RC4 cryptographic cypher in the companies’ browsers will end in early 2016.

“For Firefox, that means version 44, currently scheduled for release on Jan 26,” noted Mozilla’s Richard Barnes. “That is, as of Firefox 44, RC4 will be entirely disabled unless a user explicitly enables it through one of the preferences.”

Google plans the change to be made in Chrome around January or February 2016.

“Measurements show that only 0.13% of HTTPS connections made by Chrome users (who have opted into statistics collection) currently use RC4. Even then, affected server operators can very likely simply tweak their configuration to enable a better cipher suite in order to ensure continued operation,” Google’s Adam Langley pointed out.

“Current versions of Chrome don’t advertise support for RC4 on an HTTPS connection unless the first connection attempt fails, so servers that already support a non-RC4 cipher suite will not see any change.”

Microsoft has made the official announcement yesterday.

“Microsoft Edge and Internet Explorer 11 only utilize RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0. A fallback to TLS 1.0 with RC4 is most often the result of an innocent error, but this is indistinguishable from a man-in-the-middle attack. For this reason, RC4 will be entirely disabled by default for all Microsoft Edge and Internet Explorer users on Windows 7, Windows 8.1 and Windows 10 starting in early 2016,” explained Alec Oot, a Program Manager with Microsoft.

The Redmond giant is thusly finishing what they started in 2013, when they announced their intention to deprecate the SHA-1 algorithm and made IE not offer RC4-based cipher suites during the initial TLS/SSL handshake as the first option.