Major browser makers have finally confirmed that support for the spotty RC4 encryption algorithm is coming to an end. Google, Mozilla, and Microsoft have given a time frame in 2016 for when browsers will no longer support the 28-year-old cipher that is vulnerable to several significant attacks. Google’s Adam Langley states that Chrome has an “implicit duty to do what it can to ensure that the [HTTPS] connection is secure,”, and RC4 is falling below that bar. No date has been given when Chrome will make the cut over, but most are speculating that it will be sometime in January or February when HTTPS servers supporting only RC4 will stop working.
What does this mean for Dunbar clients? Improved security posture, as RC4 vulnerabilities rear its head in most security assessment reports. Mitigation for this vulnerability is sometimes a challenge, as older legacy web applications require certain ciphers to operate.
Though the majority of connections don’t use RC4 except as a fall back from TLS 1.2 and 1.1, it’s still a risk that can be mitigated with a simple configuration change. Attacks have been published that allow hackers to compromise TLS sessions, capture and decrypt cookie information, and gain personal information.