Microsoft announced that the RC4 stream cipher has been disabled. The company announced last year that it would end support for RC4 on Edge (Windows 10) and Internet Explorer 11 (Windows 7 +). That commitment was reiterated earlier in the year because the cipher is cryptographically insecure. With yesterday’s release of cumulative update KB3151631, Microsoft finally shuttered the stream.
It is hardly a surprise that Microsoft would want to close the stream. RC4 is a stream cipher that was originally designed in 1987. Since then it became a standard for web browsers. As well as Edge and Internet Explorer, it has been used in Mozilla Firefox and Google Chrome. It is noted for its simplicity and speed.
However, age has caught up with the cipher and many vulnerabilities have been found in modern times. Breaking it is hardly a tough task these days, so the Internet Engineering Task Force prohibited the use of RC4 with TLS in February 2015.
Microsoft is late to the party in terms of disabling the RC4 cipher. Mozilla and Google have already pulled the plug, and so has Opera. Microsoft has been using the cipher as a fallback from TLS 1.2 or 1.1 to TLS 1.0. Microsoft explains what this means in its official blog post:
“A fallback to TLS 1.0 with RC4 is most often the result of an innocent error, but this is indistinguishable from a man-in-the-middle attack. For this reason, the cipher is now entirely disabled by default for Microsoft Edge and Internet Explorer users on Windows 7, Windows 8.1 and Windows 10.”
RC4 will now be disabled across the two browsers running on Windows 10 and Windows 7 through 8.1. The cipher is rarely used these days, so Microsoft points out that most users will not even know the difference.