In September of last year, Microsoft announced that RC4 would no longer be supported by the Edge browser or IE11 by early 2016. Now, the tech giant has announced an update which will disable RC4 in the browsers. This change will be made with April's cumulative security updates on April 12th, 2016. The main impact this update has is that RC4 will not be used as a fallback for TLS negotiations.
By disabling the RC4 cipher, Microsoft Edge and IE11 will be aligned with Google Chrome, Mozilla Firefox, and Opera, which all had RC4 disabled in past updates. Currently, Edge and IE11 only use RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0. Microsoft say that a fallback to TLS 1.0 with RC4 is usually an innocent error but is indistinguishable from a man-in-the-middle attack and therefore should be disabled entirely.
Users shouldn't notice any changes after RC4 is disabled as most web services are moving away from the cipher. Microsoft is advising that those with web services which rely on RC4-enabled TLS 1.2 remove support for RC4.
RC4 is a stream cipher that was conceived in 1987. In its long life, it has been supported widely by many web browsers and online services. Recent attacks, however, show that RC4 is insecure and can be broken within hours or days. In February 2015, the Internet Engineering Task Force prohibited the use of RC4 with TLS.
Source: Windows Blog
5 Comments - Add comment