Mozilla, Google and Microsoft to remove RC4 support in early 2016

Mozilla, Google and Microsoft have agreed to remove support for the RC4 cipher in Firefox, Chrome, Internet Explorer and Microsoft Edge in early 2016.

Multiple vulnerabilities have been discovered in RC4 in recent time which led to recommendations to avoid use of the cipher at all costs by companies such as Mozilla or Microsoft.

All three companies plan to remove RC4 support from their web browsers in early 2016 and have made an announcement in that regard publicly.

Microsoft announced the upcoming change on the official Microsoft Edge development blog. The company plans to make the change in Microsoft Edge and Internet Explorer 11 but mentioned in the blog post that it will disable RC4 by default for users on Windows 7, Windows 8.1 and Windows 10.

Starting in early 2016, the RC4 cipher will be disabled by-default and will not be used during TLS fallback negotiations.

Google announced the change on the official Chromium forum. The company aims to remove RC4 support in late January or early February 2016.

When Chrome makes an HTTPS connection it has an implicit duty to do what it can to ensure that the connection is secure. At this point, the use of RC4 in an HTTPS connection is falling below that bar and thus we plan to disable support for RC4 in a future Chrome release. That release is likely to reach the stable channel around January or February 2016. At that time, HTTPS servers that only support RC4 will stop working.

According to Google, 0.13% of HTTPS connections that Chrome users make use RC4 and will be affected by the change unless server operators make changes to the configuration to support other ciphers.

Mozilla provided detailed information about the current stage of RC4 in Firefox and plans to remove support for it completely.

The organization has disabled RC4 partially in Firefox already. While still allowed in Beta and Release versions, Developer and Nighly versions only support a static whitelist of hosts that require it.

The current proposal posted on Mozilla's Dev Platform group aims to disable RC4 completely in Firefox 44 which will be released to the stable channel on January 26.

Plans are underway to disable the whitelist that Firefox Nightly and Aurora versions make use of as soon as possible.

Unrestricted fallback in Beta and Release versions of Firefox will be replaced by that whitelist when these channels reach version 43. Starting with version 44, RC will be disabled for good in all releases.

Mozilla Firefox users may override this by changing the following preferences:

• security.tls.unrestricted_rc4_fallback - allows unrestricted fallback to RC4
• security.tls.insecure_fallback_hosts.use_static_list - only allow RC4 for hosts on the static whitelist
• security.tls.insecure_fallback_hosts - a list of hosts for which fallback is allowed

Now You: Are you impacted by the change?