Microsoft has announced that it will end support for RC4 encryption in its Microsoft Edge and Internet Explorer 11 web browsers next month. On April 12, it will no longer provide support for the RC4 cipher, as it has been proven to be cryptographically insecure. Some attacks have been able to compromise it in just a few days, or even hours.
One such attack was demonstrated by security researchers at the Usenix conference last year, where it only took them about 52 hours to crack.
As a result, any sites that use it have been an attractive target. The cipher has been around since 1987, and the likes of Microsoft and Mozilla have been warning about its aging reliability for a while now. In February of last year, the Internet Engineering Task Force moved to prohibit the use of RC4 with TLS over security fears.
Both Google and Mozilla killed off their use of RC4 in January with the launches of Chrome 48 and Firefox 44. Microsoft is now following suit and has been advising web services to move over to TLS 1.2 instead as soon as possible.
“Microsoft Edge and Internet Explorer 11 only utilize RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0. A fallback to TLS 1.0 with RC4 is most often the result of an innocent error, but this is indistinguishable from a man-in-the-middle attack,” said Brent Mills, senior program manager at Windows Experience. “For this reason, RC4 will be entirely disabled by default for Microsoft Edge and Internet Explorer users on Windows 7, Windows 8.1 and Windows 10 starting April 12.”
As for how this will affect the end users, it’s unlikely that you will notice anything different according to Mills. RC4 will be simply be disabled by default for all users for Windows 7, 8, 8.1, and 10.
“The percentage of insecure web services that support only RC4 is known to be small and shrinking,” said Mills. However, if you do happen to visit a site that’s secured by RC4, it will be flagged as insecure in Internet Explorer 11 and Edge once the algorithm is put out to pasture.