Microsoft Ending RC4 Support in Edge and IE Next Month
Microsoft will pull the plug on support for the RC4 cipher used with its Edge and Internet Explorer 11 browsers, starting next month.
On April 12, RC4 will be disabled in Edge and IE browsers. Security updates, delivered as part of Microsoft's April "patch Tuesday" release, will cause this security cipher to be "disabled by default," according to Microsoft's announcement this week.
"There is consensus across the industry that RC4 is no longer cryptographically secure," Microsoft's announcement explained. "With this change, Microsoft Edge and IE11 are aligned with the most recent versions of Google Chrome and Mozilla Firefox."
Microsoft targeted RC4 in September, following the lead of other browser makers, such as Google and Mozilla. However, back then, Microsoft had just indicated that it would end RC4 support in its browsers in "early 2016."
Currently, RC4 is used by just 8.5 percent of modern browsers, per the Trustworthy Internet Movement, an organization founded by software security firm Qualys. Here are the March RC4 findings from its SSL Pulse page:
Microsoft's general advice for organizations is that they should "enable TLS 1.2 in their services and remove support for RC4."
RC4 is a stream cipher that's been a long-time Internet staple for encrypting both upstream and downstream client-server communications. It's part of the Transport Layer Security (TLS) protocol, which started out as the Secure Socket Layers (SSL) protocol.
Researchers have long known that RC4 is flawed. It has a so-called "invariance weakness" that can partially expose plaintext bytes, which can be used in man-in-the-middle attacks for session hijacking by recovering session cookies or by breaking passwords. Typically, it takes brute-force attempts to carry out such attacks, according to an explanation by Imperva (PDF).
The vulnerability of browsers to RC4 flaws has varied, depending on browser version. A chart published by Wikipedia shows browser RC4 vulnerabilities in a color-coded scheme. Microsoft's more recent browsers, such as IE 11, are listed in the chart as having low vulnerability. However, IE 11 can be an attack vector if it gets tricked into using older security protocols. That's one reason why RC4 has to go.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.