Google, Microsoft, and Mozilla all made the same announcement today: They will drop support for the RC4 cipher in their respective browsers. Chrome, Edge, Internet Explorer, and Firefox will all stop using the outdated security technology next year.
RC4 is a stream cipher designed in 1987 that has been widely supported across browsers and online services for the purposes of encryption. Multiple vulnerabilities have been discovered in RC4 over the years, making it possible to crack within days or even hours.
In February, new attacks prompted the Internet Engineering Task Force (IETF) to prohibit the use of RC4 with TLS. Browser makers have made adjustments to ensure they only use RC4 when absolutely necessary, but now they want to take it a step further.
Google plans to disable support for RC4 in a future Chrome release. While the company didn’t provide a specific date, it expects the Chrome version that doesn’t include RC4 to reach the stable channel “around January or February 2016.” Google also shared that only 0.13 percent of HTTPS connections made by Chrome users who have opted into statistics collection currently use RC4.
Microsoft plans to disable RC4 by default for all Microsoft Edge and Internet Explorer users on Windows 7, Windows 8.1, and Windows 10 “starting in early 2016.” The RC4 cipher will thus not be used during TLS fallback negotiations. Microsoft also shared that the percentage of insecure web services that support only RC4 “is known to be small and shrinking.”
Mozilla plans to turn off RC4 entirely in Firefox 44, which is currently scheduled for release on January 26, 2016. This is the only company of the trio to provide an exact date for entirely disabling RC4 by default. Mozilla also shared that about 0.08 percent of Firefox users in the release channel still use RC4.
All in all, HTTPS servers that only support RC4 will stop working across major browsers in early 2016. If you’re still supporting RC4, it’s time to move on.