What is RC4?
RC4 is a stream cipher designed in 1987 that has been widely supported across browsers and online services for the purposes of encryption. Multiple vulnerabilities have been discovered in RC4 over the years, making it possible to crack within days or even hours.
It’s good news that all the major browsers are going to drop it and move forward to a better cipher.
- Chrome plans to disable support for RC4 in a future Chrome release. While the company didn’t provide a specific date, it expects the Chrome version that doesn’t include RC4 to reach the stable channel “around January or February 2016.”
- Firefox plans to turn off RC4 entirely in Firefox 44, which is currently scheduled for release on January 26, 2016.
- Microsoft plans to disable RC4 by default for all Microsoft Edge and Internet Explorer users on Windows 7, Windows 8.1, and Windows 10 “starting in early 2016.”
What to do?
There is a simple check you should run against your production site. If you got an F like in the image below, check the reasons and correct your server configuration. Server operators who don’t wish to have to tweak configurations again in the foreseeable future should check that they support TLS 1.2 with ECDHE_RSA_WITH_AES_128_GCM.