Chrome, Edge, IE, and Firefox to Kill Outdated RC4 Encryption Starting 2016
Google, Microsoft and Mozilla have all announced to drop support for the RC4 encryption in their respective web browsers at the beginning of 2016.
Outdated security technology RC4 is finally dying:
Chrome, Edge, Internet Explorer, and Firefox will stop supporting RC4 encryption as all three companies announced on Tuesday. RC4 is a stream cipher designed in 1987 and has been widely supported by web browsers and online services and applications. The musty security technology has been used for the purposes of encryption, but remains highly plagued with multiple vulnerabilities as discovered in the last few years. This cryptographic algorithm facilitates malicious actors to crack services within days or even hours, in some cases as demonstrated by researchers multiple times.
Earlier this year, a new vulnerability was discovered against RC4-based SSL/TLS communications further confirming that the RC4 attacks are becoming easier for attackers. In February, the Internet Engineering Task Force (IETF) announced that the TLS clients should never use RC4 when establishing connections. Browsers had then adjusted to ensure to only use the cipher when absolutely necessary. However, now the trio of companies owning the popular web browsers has announced to completely disable support for RC4 encryption in the future versions of their web browsers.
When is the RC4 encryption support ending exactly?
Microsoft will disable RC4 support by default in Internet Explorer and the new Edge browser starting early 2016. The company has already started advising owners of web services still reliant on the encryption technology to take steps to prevent any future issues.
While there are no reports providing specific dates, Google plans to disable support for RC4 in its future releases of Chrome, possibly in early 2016. Google’s Adam Langley explained, “Measurements show that only 0.13% of HTTPS connections made by Chrome users (who have opted into statistics collection) currently use RC4. Even then, affected server operators can very likely simply tweak their configuration to enable a better cipher suite in order to ensure continued operation.” He further added that the release killing RC4 will likely “reach the stable channel around January or February 2016. At that time, HTTPS servers that only support RC4 will stop working.”
Mozilla, however, is the only one having exact plans of dropping support as it intends to kill RC4 in Firefox 44. Firefox 44 is planned to be released in January 2016. About 0.08 percent of Firefox users use RC4, according to Mozilla.
While there may not be exact dates for some browsers, HTTPS servers still supporting this cipher will stop working across these four popular web browsers starting early 2016.