After years of security experts demanding the RC4 stream cipher be deprecated, Google, Mozilla, and Microsoft announced Tuesday they will officially remove the encryption algorithm from respective Web browsers by early 2016.
Introduced in 1987, RC4 is a stream cipher widely used in various communications protocols to encrypt packets from eavesdroppers. Web applications and VPNs have used RC4 to protect sensitive network traffic, for example. However, researchers have uncovered multiple vulnerabilities over the years illustrating how attackers can decrypt messages secured with RC4 within days. Experts recommend switching to stronger cryptography alternatives instead.
Mozilla will lead the way with Firefox 44, scheduled for release on Jan. 26, 2016. RC4-free versions of Chrome, Internet Explorer 11, and Microsoft Edge will be available by the end of February 2016. Apple did not respond to queries regarding its plans for Safari, nor did Opera Software.
At the moment, TLS will try to negotiate a handshake using a strong cipher, but if the client trying to connect is using a weaker protocol, TLS will fall back to less robust alternatives. For example, Microsoft Edge and Internet Explorer 11 use RC4 only when falling from TLS 1.2/1.1 to TLS 1.0. With the change, if the servers try to use RC4, the browsers will fail and users won’t be able to connect to the server or Web application.
“This move is basically [the browsers] saying, ‘Instead of backing off to a sketchy cipher solution, we'll fail closed,’” said Scott Petry, co-founder and CEO of Authentic8.
The announcement is long overdue and one the information security community knew was coming. Microsoft has been telling developers to drop RC4 from their applications since 2013. “In light of recent research into practical attacks on biases in the RC4 stream cipher, Microsoft is recommending that customers enable TLS 1.2 in their services and take steps to retire and deprecate RC4 as used in their TLS implementations,” wrote Microsoft’s William Peteroy in a blog post at the time. (Peteroy is now at security startup Icebrg.io.)
The official recommendation was to use TLS 1.2 with AES-GCM. Cisco made similar recommendations to its customers. In February, the Internet Engineering Task Force said TLS clients and servers should never negotiate the use of RC4 when establishing connections.
From a practical standpoint, the changes to the browsers won’t have a visible impact, as the number of users using RC4 is very, very low. Google’s Adam Langley noted that only 0.13 percent of HTTPS connections made by Chrome users (who have opted into statistics collection) currently go through RC4. About 0.08 percent of Firefox users still work with RC4, said Mozilla security engineer Richard Barnes.
In fact, 42 percent of servers worldwide currently do not support RC4, according to current data from SSL Pulse. The remaining servers support an RC4-enabled connection, but that doesn’t necessarily mean the servers are creating RC4 sessions, said Kevin Bocek, vice president of security strategy at Venafi. CloudFlare deprioritized RC4 from all its servers back in 2014 and found that only 0.0009 percent of traffic actually attempted to connect to its servers using the weaker cipher.
“For most users this is already a nonissue,” Bocek said. There have been ways to disable RC4 in Internet Explorer and on the server side since at least 2013. The announcement illustrates exactly how long it takes to properly deprecate cryptographic algorithms. It has been a “a long farewell to RC4,” he said.
Over the past decade, researchers have demonstrated how attackers can break RC4 and decrypt protected messages, given enough time and processing power. Documents stolen by Edward Snowden revealed intelligence agencies in the United States and United Kingdom were capable of breaking RC4 encryption. Last month, two Belgian security researchers at the Usenix Security Symposium described how an attacker could capture a victim’s cookie and decrypt it within 75 hours, making attacks against RC4 more practical and attainable.
Back in March, researchers from Johns Hopkins University and the University of London illustrated how attackers could target RC4 to harvest user passwords. The continued use of RC4 in TLS is "increasingly indefensible," and attacks against the scheme are getting better and easier, wrote Christina Garman, a doctoral student at Johns Hopkins University; Kenny Paterson, a professor with the Information Security Group at Royal Holloway, University of London; and Thyla van der Merwe, a research student at Royal Holloway, University of London.
RC4 “needs to die,” wrote Garman, Paterson, and van der Merwe in the paper's abstract.
Die it shall, when major browsers stop supporting RC4 early next year. If developers are still using RC4, it's past time they stopped, and administrators need to get cracking on properly securing their servers.