Microsoft dropping RC4 cipher support in Edge and IE11 in April

In a move meant to help protect the interests of Windows users, Microsoft has announced that Edge and Internet Explorer 11 will no longer support the RC 4 streaming cipher going forward. Heres a description of RC4 from Microsoft’s relevant security advisory:

Developed in 1987 by Ron Rivest, RC4 was one of the earliest stream ciphers to see broad use. It was initially used in commercial applications and was faster than alternatives when implemented in software and over time became pervasive because of how cheap, fast and easy it was to implement and use.

The decision to cut off support for the stream cipher is a result of most industry professionals coming to the conclusion that RC4 is no longer cryptographically secure.

Currently, RC4 is only used in the event of a fallback from TLS 1.2/1.1 to TLS 1.0. While this event is usually harmless, it is “indistinguishable from a man-in-the-middle attack.” Because of this, Microsoft will be entirely disabling RC4 in Microsoft Edge and Internet Explorer 11 starting on April 12. Microsoft expects that this change will go mostly unnoticed for the vast majority of Windows users due to RC4’s already small group of users.

RC4 Internet usage.

RC4 Internet usage.

The blog post on the subject reminds people that if their web service currently relies on RC4 to function, it needs to be upgraded to TLS 1.2. As Microsoft indicated in their security advisory:

Microsoft strongly encourages customers to evaluate, test and implement the options for disabling RC4 below to increase the security of clients, servers and applications. Microsoft recommends enabling TLS1.2 and AES-GCM. Clients and servers running on Windows with custom SSL/TLS implementations, such as, Mozilla Firefox and Google Chrome will not be affected by changes to SChannel.

We’re glad to see Microsoft continuing to address security in Windows 10 and Edge. We’ll keep you updated as the company continues to make sure your computing environment is safe and sound.

Share This
Further reading: , , , , ,

Is this going to affect anybody you at all?