So long, RC4, and thanks for all the fish

— 5:02 PM on September 4, 2015

It's official. Support for RC4, a stream cipher used by browsers for securing connections (among other things), will be dropped sometime in early 2016 by Google, Mozilla, and Microsoft. The cipher is vulnerable to several concerning attacks, and its design dates from 1987.

RC4's deprecation isn't entirely unexpected. The Internet Engineering Task Force had already published an RFC document in February of this year prohibiting the use of the cipher suite in TLS connections, so the writing was on the wall, but the cipher now has a date with the executioner.

All of today's major browsers only use RC4 as a fallback cipher if a better encryption method can't be negotiated with the server, and the move to deprecate it should have next to no drawbacks. According to Google, only 0.13% of HTTPS connections in Chrome are made using the outdated cipher, a number that's only shrinking as sysadmins around the world disable it on their servers. Mozilla reports an even smaller number for Firefox—only 0.08% of that browser's HTTPS connections use RC4.

Like what we're doing? Pay what you want to support TR and get nifty extra features.
Top contributors
1. BIF - $340 2. Ryu Connor - $250 3. mbutrovich - $250
4. YetAnotherGeek2 - $200 5. End User - $150 6. Captain Ned - $100
7. Anonymous Gerbil - $100 8. Bill Door - $100 9. ericfulmer - $100
10. dkanter - $100
Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.