Microsoft today announced that its browsers will stop supporting the RC4 cipher over HTTPS connections next month. The change to Microsoft Edge and Internet Explorer 11 will come as part a cumulative security update on the next Patch Tuesday (the second Tuesday of every month): April 12, 2016.
RC4 is a stream cipher designed in 1987 that has been widely supported across browsers and online services for the purposes of encryption. Multiple vulnerabilities have been discovered in RC4 over the years, making it possible to crack within days, or even hours.
In February 2015, new attacks prompted the Internet Engineering Task Force (IETF) to prohibit the use of RC4 with TLS. Google, Microsoft, and Mozilla all promised to drop RC4 support in their browsers this year. Google and Mozilla both delivered on that promise in January with the launch of Chrome 48 and Firefox 44, respectively.
Currently, Edge and IE11 utilize RC4 during a fallback from TLS 1.2 or TLS 1.1 to TLS 1.0. A fallback to TLS 1.0 with RC4 is most often the result of an innocent error, but as Microsoft notes, “this is indistinguishable from a man-in-the-middle attack.”
As such, RC4 will be entirely disabled by default for Edge and IE11 users on Windows 7, Windows 8.1, and Windows 10. At that point, the RC4 cipher will no longer be used by the latest versions of four major browsers.
Like Google and Mozilla, Microsoft expects that most users won’t notice anything different. The percentage of insecure web services that support only RC4 is small and shrinking, especially now that these three tech companies have essentially kicked it to the curb. If your web service still relies on RC4, you’ll want to take steps to disable it.
It’s unfortunate that it took Microsoft three more months to remove RC4 compared to Google and Mozilla, but better late than never. And it is definitely faster than the company used to move in the browser space.