RC4 is dead

The old stream cipher RC4 is as dead as SSL. Soon. :wink:

RC4 has been considered fundamentally flawed or broken a long time.

The deprecation of RC4 in browsers began in November 2013, when Microsoft moved RC4-suites to fallback, by not including RC4 in the ClientHello in the initial handshake in IE11. This was later described in RFC 7465: “TLS clients MUST NOT include RC4 cipher suites in the ClientHello message.”

Mozilla followed suit in February 2015, when RC4 was move to fallback in Firefox 36: “No longer accept insecure RC4 ciphers whenever possible”.

In April 2015 “Move RC4 behind a fallback” was merged in Chromium, reaching Chrome 43 stable in May and Opera 30 in June. Chromium developers added: “Note that this sort of fallback provides NO security benefit.”

The first real security benefit came when support for RC4 was removed in Chromium in late October 2015, in Chrome 48 stable in January 2016, and Opera 35 in early February. RC4 was also disabled in Opera 12.18.

Mozilla disabled RC4 in Firefox 44. See also Deprecating the RC4 Cipher.

The next step will be taken on patch Tuesday in April, when Microsoft releases updates that disable RC4 in Edge, and in IE11 on Windows 7, 8.1 and 10.

As Dragon and Chromodo are now based on Chromium 48, and IceDragon is based on Firefox 44, RC4 is disabled in them as well.

Test support for RC4: https://rc4.badssl.com/

Apple? Don’t know. All I know is that Safari 9 supports RC4 and includes it in the ClientHello.

It was planned to happen today, but Microsoft decided to let RC4 live a little longer in IE11 and Edge.

[Updated] We initially announced plans to release this change in April 2016. Based on customer feedback, we now plan to delay disabling the RC4 cipher. We encourage customers to complete upgrades away from RC4 soon, as a forthcoming update will disable RC4 by default and RC4 will no longer be used for TLS fallback negotiations.

54 out of the 141 160 most visited sites that offer a secure connection require RC4: https://www.trustworthyinternet.org/ssl-pulse/

Chromium bids RC4 farewell: Remove the last vestiges of RC4.

Finally: RC4 is now deprecated in Microsoft Edge and Internet Explorer 11

RC4 is now disabled in IE11 (11.0.36) on Windows 7 with KB3191492.

RC4 was removed in macOS Sierra 10.12.1.

Safari 10 / OS X 10.12 user agent capabilities.