Microsoft deprecates decades-old RC4 stream cipher in Edge and Internet Explorer 11

Last year, Microsoft announced end-of-support for the RC4 stream cipher in 2016 for its Edge browser, as well as Internet Explorer 11. Earlier this year, the company reiterated that it would soon disable the cipher due to it being cryptographically insecure. With the release of cumulative update KB3151631 today, Microsoft has finally deprecated RC4 on Edge (Windows 10) and Internet Explorer 11 (Windows 7 or newer).

For those unaware, RC4 is a decades-old stream cipher that was conceived in 1987, and has since been widely used in web browsers such as Google Chrome and Mozilla Firefox. However, in the modern world, it has proven to be an insecure form of cryptography, in fact, it can be broken within hours or days. Resultantly, the Internet Engineering Task Force prohibited the use of RC4 with TLS in February 2015.

By disabling the RC4 cipher, Microsoft Edge and IE11 will be aligned with Google Chrome, Mozilla Firefox, and Opera, which all had RC4 disabled in past updates. Prior to today, Edge and Internet Explorer 11 only used RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0. According to Microsoft, a fallback to TLS 1.0 with RC4 is usually an innocent error, but is indistinguishable from a man-in-the-middle attack and therefore should be disabled entirely.

Hence, RC4 is has now been disabled across Microsoft Edge and IE11 on Windows 7, 8, 8.1 and 10. However, the company states that most users might now even notice the change, since very few web services use this insecure stream cipher.

With that being said, Microsoft has cautioned users that if their web services rely on RC4, they should enable TLS 1.2 and remove support for RC4. For further details and guidelines, you can view the company's security advisory here.

Source: Microsoft

Report a problem with article
Next Article

Apple seeds Developer Beta 5 of iOS 10, macOS Sierra, watchOS 3, and tvOS 10

Previous Article

Microsoft announces August Insider Slow build for Office 2016 on Mac

0 Comments - Add comment