Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Ending support for RC4 cipher in Microsoft Edge and Internet Explorer

01 Sep 2015   #1
Brink

64-bit Windows 10 Pro
 
 
Ending support for RC4 cipher in Microsoft Edge and Internet Explorer

Quote:
Today, Microsoft is announcing the end-of-support of the RC4 cipher in Microsoft Edge and Internet Explorer 11. Starting in early 2016, the RC4 cipher will be disabled by-default and will not be used during TLS fallback negotiations.

There is consensus across the industry that RC4 is no longer cryptographically secure. Our announcement aligns with todays announcements from Google and Mozilla, who are ending support for RC4 in Chrome and Firefox.

What is RC4?

RC4 is a stream cipher that was first described in 1987, and has been widely supported across web browsers and online services. Modern attacks have demonstrated that RC4 can be broken within hours or days. The typical attacks on RC4 exploit biases in the RC4 keystream to recover repeatedly encrypted plaintexts. In February 2015, these new attacks prompted the Internet Engineering Task Force to prohibit the use of RC4 with TLS.

Microsoft Edge and Internet Explorer 11 only utilize RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0. A fallback to TLS 1.0 with RC4 is most often the result of an innocent error, but this is indistinguishable from a man-in-the-middle attack. For this reason, RC4 will be entirely disabled by default for all Microsoft Edge and Internet Explorer users on Windows 7, Windows 8.1 and Windows 10 starting in early 2016.

How can I prepare?

We expect that most users will not notice this change. The percentage of insecure web services that support only RC4 is known to be small and shrinking.

If your web service relies on RC4, you will need to take action. Since 2013, Microsoft has recommended that customers enable TLS 1.2 in their services and remove support for RC4. For additional details, please see Security Advisory 2868725.

David Walp, Senior Program Manager, Microsoft Edge

Source: Ending support for the RC4 cipher in Microsoft Edge and Internet Explorer 11 | Microsoft Edge Dev Blog


My System SpecsSystem Spec
.
01 Sep 2015   #2
FerchogtX

Microsoft Windows 7 Home Premium SP1 64-bit Build 7600 / Microsoft Windows XP Professional SP3
 
 

Does this means IE11 will get a patch for this?
I'll wait for the KB in that case...
My System SpecsSystem Spec
01 Sep 2015   #3
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 
RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0 in IE11

Quote   Quote: Originally Posted by FerchogtX View Post
Does this means IE11 will get a patch for this?
I'll wait for the KB in that case...
Well I hardly ever use IE11 (installed on my machine) so it's difficult to comment. Personally my view is that it might be better to disable TLS 1.0 and only re-enable it on as as an when needed basis.

Now here's an interesting result using Cyberfox (Firefox variant)

Configured insecurely the RC4 cipher is indeed used during TLS fallback negotiations:
Ending support for RC4 cipher in Microsoft Edge and Internet Explorer-ff-rc4.jpg
However if configured properly that doesn't happen and it doesn't use RC4 cipher suite:
Ending support for RC4 cipher in Microsoft Edge and Internet Explorer-ff-rc4-2.jpg
EDIT:

Some more info here that doesn't seem to tie in with the announcement:

Security Advisory 2868725: Recommendation to disable RC4 - Security Research & Defense - Site Home - TechNet Blogs

Quote:
IE 11 enables TLS1.2 by default and no longer uses RC4-based cipher suites during the >TLS handshake.
I guess that what they are saying is that RC4 is stlll available for the small number of websites that need it. Switching off RC4 entirely will force those sites to support only non RC4 ciphers.


My System SpecsSystem Spec
.

02 Sep 2015   #4
ThrashZone

Win-7-Pro64bit 7-H-Prem-64bit
 
 

Yep I lost the translation
Anyone got a decoder ring around
My System SpecsSystem Spec
02 Sep 2015   #5
NoN

Windows 7 Professional SP1 - x64 [Non-UEFI Boot]
 
 

I've switch off all RC4 Ciphers a while back now in IE11...Web sites have to do the same and MS will provide a full patch for IE only in early 2016??.
My System SpecsSystem Spec
02 Sep 2015   #6
Callender

Microsoft Windows 7 Home Premium 64-bit 7601 Multiprocessor Free Service Pack 1
 
 

Yes I did the same - disabled all RC4 ciphers via registry but that only seems to work with Winows and IE. It doesn't seem to affect other browsers specifically Firefox. In my case I use Cyberfox, FF Portable and Opera 12 mostly.

In my earlier posts I was just testing sites that use that insecure fallback method (utilizing RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0.)
My System SpecsSystem Spec
Reply

 Ending support for RC4 cipher in Microsoft Edge and Internet Explorer




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
will support for win 7 home be ending in near future?
I have read that support will be ending for win 8 and everyone is urged to upgrade to 8.1 now but, I haven't seen anything about win 7 home ver. Thanks! :)
Windows Updates & Activation
Support for WINDOWS XP ending April 2014
When support for XP ends this April, I can understand that no further Security/Enhancement updates will be coming down the pipe. My question is this - If I have to reload my Windows XP SP1 system, will updates prior to April 2014 still be available to download & install. IE: Sp2, Sp3 etc. Or does...
General Discussion
Microsoft to support Safer Internet Day on February 8
Microsoft to support Safer Internet Day on February 8 | WinRumors
News
Support is ending for XP with Service Pack 2 (SP2), on July 13, 2010
More...
News
Internet Explorer 9 (IE9) on the Bleeding Edge.
Internet Explorer 9 (IE9) on the Bleeding Edge - Toning down expectations - Softpedia
News


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 22:52.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App