In a move meant to help protect the interests of Windows users, Microsoft has announced that Edge and Internet Explorer 11 will no longer support the RC 4 streaming cipher going forward. Heres a description of RC4 from Microsoft’s relevant security advisory:
Developed in 1987 by Ron Rivest, RC4 was one of the earliest stream ciphers to see broad use. It was initially used in commercial applications and was faster than alternatives when implemented in software and over time became pervasive because of how cheap, fast and easy it was to implement and use.
The decision to cut off support for the stream cipher is a result of most industry professionals coming to the conclusion that RC4 is no longer cryptographically secure.
Currently, RC4 is only used in the event of a fallback from TLS 1.2/1.1 to TLS 1.0. While this event is usually harmless, it is “indistinguishable from a man-in-the-middle attack.” Because of this, Microsoft will be entirely disabling RC4 in Microsoft Edge and Internet Explorer 11 starting on April 12. Microsoft expects that this change will go mostly unnoticed for the vast majority of Windows users due to RC4’s already small group of users.
Microsoft strongly encourages customers to evaluate, test and implement the options for disabling RC4 below to increase the security of clients, servers and applications. Microsoft recommends enabling TLS1.2 and AES-GCM. Clients and servers running on Windows with custom SSL/TLS implementations, such as, Mozilla Firefox and Google Chrome will not be affected by changes to SChannel.
We’re glad to see Microsoft continuing to address security in Windows 10 and Edge. We’ll keep you updated as the company continues to make sure your computing environment is safe and sound.Further reading: Internet Explorer, Microsoft Edge, RC4, Security, TLS 1.2, Web browser