How to block the insecure RC4 cipher in Firefox and Chrome

Whenever you connect to a secure website using Firefox or any other modern browser, negotiations happen in the background that determine what is being used to encrypt the connection.

RC4 is a stream cipher that is currently supported by most browsers even though it may only be used as a fallback (if other negotiations fail) or for whitelisted sites.

Exploits have come to light in recent time that take advantage of weaknesses in RC4 which allow attackers to run attacks in a reasonable time frame, for instance to decrypt web cookies which often contain authentication information.

Mozilla wanted to remove RC4 from Firefox completely initially in version 38 or 39 of the browser but decided against it based on telemetry data. As it stands right now, RC4 won't be disabled in Firefox 39 or 40.

Tip: you can check if your web browser is vulnerable by visiting this RC4 website. If you see red notifications on the page after the text has been conducted it means that it is vulnerable to attacks.

It needs to be noted that other browsers, Google Chrome for instance, are vulnerable as well. Google is apparently also working on dropping RC4 support completely in Chrome

Disabling RC4 in Firefox

Firefox users can turn off RC4 in the web browser completely. It needs to be noted that some secure sites may fail to work after doing so.

1. Type about:config in the browser's address bar and hit enter.
2. Confirm you will be careful if you receive a prompt.
3. Search for RC4 and double-click on the following preferences to set them to false.
4. security.ssl3.ecdhe_ecdsa_rc4_128_sha
5. security.ssl3.ecdhe_rsa_rc4_128_sha
6. security.ssl3.rsa_rc4_128_md5
7. security.ssl3.rsa_rc4_128_sha

Once you have made the changes reload the test page linked above. You should get connection failure messages instead of warnings when you do that.

If you run into issues connecting to secure sites after making the changes you may need to restore support for RC4. To do that repeat the steps above and make sure the values of the preferences are set to true afterwards.

Disabling RC4 in Chrome

The process is complicated in Chrome as you cannot simply switch a couple of preferences in the web browser to disable RC4 in it.

The only valid option is to run Chrome with command line parameters that block RC4. Here is how this is done (instructions for Windows).

1. Right-click on the Chrome shortcut in the taskbar of the operating system, and right-click again on Chrome, and select properties from the context menu that opens up.
2. This should open the properties of the executable file.
3. Add --cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007 as a parameter to the end of the Target line. Make sure there is a space in front of the parameter.
4. The target line looks like this on my computer after adding the parameter: C:\Users\Martin\AppData\Local\Chromium\Application\chrome.exe --cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007
5. Note: yours will vary based on your username and the version of Chrome you have installed.

The command adds RC4 to the cipher blacklist so that it won't be used by the browser. If you rerun the test, you will notice that it will fail (which is good).