Intent to deprecate: RC4

9437 views
Skip to first unread message

Adam Langley

unread,
Sep 1, 2015, 12:56:42 PM9/1/15
to security-dev, net-dev
(The discussion of this topic is intended to be on the
securi...@chromium.org mailing list. This message has also been
cc'ed to the net-dev mailing list in an attempt to ensure that
interested parties are aware of it.)

RC4 is a 28 year old cipher that has done remarkably well, but it is
now the subject of several, significant attacks[1][2][3]. The IETF has
decided that RC4 is sufficiently bad to warrant a statement that it
must no longer be used[4].

When Chrome makes an HTTPS connection it has an implicit duty to do
what it can to ensure that the connection is secure. At this point,
the use of RC4 in an HTTPS connection is falling below that bar and
thus we plan to disable support for RC4 in a future Chrome release.
That release is likely to reach the stable channel around January or
February 2016. At that time, HTTPS servers that only support RC4 will
stop working.

Measurements show that only 0.13% of HTTPS connections made by Chrome
users (who have opted into statistics collection) currently use RC4.
Even then, affected server operators can very likely simply tweak
their configuration to enable a better cipher suite in order to ensure
continued operation. (Chrome has long implemented 1/n-1 record
splitting and is thus protected against the BEAST attack even with CBC
modes and TLS 1.0.)

Server operators who don’t wish to have to tweak configurations again
in the foreseeable future should check that they support TLS 1.2 with
ECDHE_RSA_WITH_AES_128_GCM and use the tool at
https://ssllabs.com/ssltest to find any other obvious problems.

Current versions of Chrome don't advertise support for RC4 on an HTTPS
connection unless the first connection attempt fails, so servers that
already support a non-RC4 cipher suite will not see any change.

AGL


[1] http://www.isg.rhul.ac.uk/tls/
[2] https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/vanhoef
[3] https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/garman
[4] https://tools.ietf.org/html/rfc7465

Adam Langley

unread,
Sep 1, 2015, 1:30:12 PM9/1/15
to security-dev
Message has been deleted

David Benjamin

unread,
Oct 26, 2015, 4:38:20 PM10/26/15
to Adam Langley, security-dev, net-dev
As a reminder, RC4 is still expected to be removed around January or February 2016. This clocks it at Chrome 48. Please revisit your server configuration if you're still using RC4 (see notes quoted below).

David
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAL9PXLz-59%3DsxtnGd7frF%2BcmLHyi1bxaCx%2BcTRj9-U35%3Dw%3DODw%40mail.gmail.com.

carlywo...@gmail.com

unread,
Mar 2, 2017, 5:46:02 AM3/2/17
to Security-dev, a...@chromium.org, net...@chromium.org
help me with error: uses an unsupported protocol.

carlywo...@gmail.com

unread,
Mar 2, 2017, 5:46:19 AM3/2/17
to Security-dev, a...@chromium.org, net...@chromium.org

hasmukhk...@gmail.com

unread,
Jun 15, 2017, 5:11:49 AM6/15/17
to Security-dev, net...@chromium.org

hzama...@gmail.com

unread,
Sep 23, 2017, 11:05:36 AM9/23/17
to Security-dev, net...@chromium.org
1 Eylül 2015 Salı 19:56:42 UTC+3 tarihinde Adam Langley yazdı:

booper...@gmail.com

unread,
Dec 18, 2017, 9:26:54 PM12/18/17
to Security-dev, net...@chromium.org

cscel...@gmail.com

unread,
Feb 12, 2018, 2:59:01 PM2/12/18
to Security-dev, net...@chromium.org
On Tuesday, September 1, 2015 at 10:26:42 PM UTC+5:30, Adam Langley wrote:

wodot...@gmail.com

unread,
May 18, 2018, 12:58:46 PM5/18/18
to Security-dev, net...@chromium.org

buddhab...@gmail.com

unread,
Aug 22, 2018, 2:55:23 AM8/22/18
to Security-dev, net...@chromium.org
On Tuesday, September 1, 2015 at 10:26:42 PM UTC+5:30, Adam Langley wrote:

mzjr...@gmail.com

unread,
Oct 29, 2018, 12:14:31 PM10/29/18
to Security-dev, net...@chromium.org
On Tuesday, September 1, 2015 at 12:56:42 PM UTC-4, Adam Langley wrote:

01kr.p...@gmail.com

unread,
Nov 8, 2018, 10:06:03 AM11/8/18
to Security-dev, net...@chromium.org
On Tuesday, September 1, 2015 at 12:56:42 PM UTC-4, Adam Langley wrote:

kayl...@gmail.com

unread,
Nov 3, 2019, 1:47:29 AM11/3/19
to Security-dev, net...@chromium.org

w681...@gmail.com

unread,
Nov 26, 2019, 3:12:28 AM11/26/19
to Security-dev, net...@chromium.org
Reply all
Reply to author
Forward
0 new messages