back to article Microsoft, Cisco: RC4 encryption considered harmful, avoid at all costs

Microsoft has urged the Windows world to dump the once trusty but now distrusted RC4 encryption algorithm – and pick something stronger. Cisco has also told its customers to "avoid" the cipher. RC4, developed in 1987, is a popular stream cipher that's often used in HTTPS connections to protect sensitive network traffic from …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Lets not forget that the US government has banned export of certain crypto tech for years.

    1. K

      I'm no encryption expert, but there certain flaws with this

      1) Many of the encryption methods are openly available as open source.

      2) Even when a provider "enforces" these conditions, the most I have ever seen is "What country are you from" and "do you agree to export limitations"..

      Thats a majorly effective export ban going on there!

      1. Wzrd1 Silver badge

        And yet, I can download AES, sha-2, RC5 and RC6 as freeware all over the world, hosted all over the world, written by coders all over the world.

        I'll stick with that which matters most. The US DoD stopped using sha-1 ages ago, dumped RC4 ages ago and either goes with AES, AES or AES.

        The DoD smartcards dropped 1024 bit keys in favor of 2048 bit keys.

        I figure that they did it for a good reason, not to simply change shit.

        There was also some rumbling about quantum computers in use, though the degree of which what was in use was restricted to circles far more ratified than Snowden had access to.

        No, I'll not comment further.

        1. Suricou Raven

          2048b is really a minimum for RSA. It's secure for now, but if you want your communications to remain secure in the future 4096b is advisable. Any more is just silly.

    2. Anonymous Coward
      Anonymous Coward

      Let's not forget that many countries also have banned import of certain crypto tech. The same reasons why the US controls the export, other countries control the import. Other countries might want to spy on its citizens and strong crypto they can't break makes that harder.

      China bans crypto tech import unless you have government certification.

      France has this:

      "As long as cryptography is only used for authentication and integrity purposes, it can be freely used. The cryptographic key or the nationality of the entities involved in the transaction do not matter. Typical e-business websites fall under this liberalized regime.

      For other uses, exportation and importation to or from foreign countries must be either declared (when the other country is a member of the European Union) or requires an explicit authorization (for other countries)."

      1. Ian Yates

        To be honest, I've never really understood what they mean by "import" and "export" in these things, apart from physical crypto gear. Digital "property" has blurred the lines of when something is entering or leaving your borders.

        Plus, you can't control concepts, no matter how egotisitcal a government is. Cryptographic tech is just the implementation of a mathematical concept, which is easily distributable.

    3. Anonymous Coward
      Anonymous Coward

      That's old

      They lifted the restrictions (except to certain countries) years ago:

  2. Anonymous Coward
    Anonymous Coward

    RC4 is good

    At what point does an algorithm give up and decide that what appears to be random noise is in fact random noise ?

    The spooks cannot give up.

    Because they spy upon everyone they must assume

    1. they are being spied upon themselves

    2. all measures they use to avoid being spied upon are being used against them

    3. new (anti-spy and spy) measures are being developed which must be mitigated against

    They spend multi-millions of Dollars/Pounds on self masturbatory fantasies where they play good guy/bad guy and the taxpayer picks up the bill.

    There are some seriously disturbed individuals who wield unprecedented powers at the heart of our Governments.

  3. RobHib

    Love to be a fly on the wall at NSA.

    Jacob Appelbaum, a computer security researcher and leading Tor developer, bluntly warned earlier this month: "RC4 is broken in real-time by the ‪NSA‬ – stop using it.

    If true, I'd love to be a fly on the wall at the NSA. Love to see the swearing, cursing and gnashing of teeth now that this peephole has been closed.

    There'd have to be a contract out on Snowden by now.

    1. tony2heads
      Big Brother

      Re: Love to be a fly on the wall at NSA.

      Not so much a peephole, more a large Window without curtains

    2. Suricou Raven

      Re: Love to be a fly on the wall at NSA.

      Not really. RC4 is still the default on a great many browsers, webservers, etc. Even if the decree goes out 'Abandon RC4!' today, it'll be a decade before it filters down. Software endures: Witness XP.

    3. PeteA

      Re: Love to be a fly on the wall at NSA.

      Ah, but what if we steganographically bury the _real_ (properly encrypted, 'natch) data inside the RC4?

      And before anyone shouts 'security by obscurity', the techniques change, but camouflage has worked pretty well for quite a while.

  4. Bladeforce

    What was that? Avoid Windows at all costs?

  5. Anonymous Coward
    Anonymous Coward

    How do we know

    They aren't just gently sheparding us toward things that are utterly broken by design?

    There are some interesting questions around elliptic curve constants provided by NSA to NIST, for example.

    Snowden might not have known it all - very likely he didn't. They do keep some stuff really close, as I found out *when I worked for the NSA myself*. Some things aren't on systems that just a sysadmin with a few social engineered passwords can get to. Some aren't even on internal networks, sneaker-net only, and only the guy with this or that machine knows they have it. Just sayin.

    Posting anon for obvious reasons.

    1. Anonymous Coward
      Anonymous Coward

      Re: How do we know

      is AES-GCM elliptical? I've not heard of it.

  6. Anonymous Coward
    Anonymous Coward

    thank you for this:

    " SHA-2 set of functions: SHA-224, SHA-256, SHA-384 and SHA-512"

    I guess I speed-read over this fact before.

  7. Stuart Halliday

    Ok. Obvious if unanswered question.

    As a web browser user how do I tell if a site is using RC4?

    1. diodesign (Written by Reg staff) Silver badge

      Good question

      Try using, put in a URL, check the protocol and ciphers in list of preference. If your browser and the server can agree on a strong cipher, you're cooking on gas.


      1. pabc

        Re: Good question

        That site, reports facebook as being grade A, yet firefox's technical information on the secure connection says 128 bit RC4

        Perhaps not grade A until the use of RC4 caps to grade B?

    2. pabc

      In firefox, click the padlock to the left in the adress bar and select 'more info'

      In Chrome, click the padlock to the left in the adress bar and look in the 'connection' tab

    3. richardcox13

      > As a web browser user how do I tell if a site is using RC4?

      In IE: Right click and select properties: details of the ciphers used is under connection.

      In Chrome: click on the padlock on the address bar and click on the connection tab.

      In Firefox it is in Tools | Page Info at the bottom of the General tab with more details on the Security tab.

    4. John H Woods Silver badge

      Click the padlock icon to see the certificate, there's normally an 'advanced' or 'more information' button that will show you additional details - these should include the encryption mechanism. My https to Google yields:

      TLS_ECDHE_RSA_WITH_RC4_128_SHA, 128 bit keys


  8. Dan Crichton

    While disabling RC4 is a good idea in theory, in practice it's impossible when running Windows Server boxes that are not 2008+. Windows Server 2003, while still in extended support until July 2015, only supports TLS1.0 which has a small number of ciphers; RC4 is the only cipher it does support that doesn't use CBC, so turning it off isn't an option if you need to run SSL. All the Windows 2003 CBC ciphers are worse than RC4 given how BEAST demonstrated their inherent weakness, and various patches and KB articles released shortly after BEAST resulted in the two RC4 ciphers (TLS_RSA_WITH_RC4_128_MD5 and TLS_RSA_WITH_RC4_128_SHA) being the only two left available. For some companies upgrading all their servers to Windows 2008/2012 right now just isn't a realistic option. If the charts at represent a realistic spread of IIS versions, then 42% of websites running Windows are on 2003/IIS6 (which represents around 6% of all websites in the survey), which is still a significant number of servers worldwide. Given Microsoft is supporting Windows Server 2003 for almost 2 more years, and that they're urging RC4 to be disabled, where is their announcement about a patch for 2003 to add TLS 1.2 support? After all, this would constitute a security risk, and therefore require a security fix, wouldn't it?

    1. richardcox13

      Equally there is no patch for XP/Vista to make it possible to disable RC4. Or support for TLS 1.2.

      Old versions in extended support don't get new features.

      1. Tom 13

        Re: Old versions in extended support don't get new features.

        Yes, that is current accepted practice.

        But the question is: in light of what we know now, should it be?

        I for one am quite tired of the licensing disclaimers that the vendor isn't liable for anything beyond the price of the software if it is found that the software is not fit for purpose. MS and all the rest of the software vendors sell their ware on precisely the claim that it is fit for purpose. When problems in manufacturing are found which are well beyond the capability and licensing restrictions of the software, the manufacturer should be liable and should be expected to produce fixes. Just like GM, Chrysler, Ford, BMW, etc.

  9. Paul Crawford Silver badge

    Banking dissapointment

    I tried and while it got an "A" overall as it used 256-bit AES on modern browsers, it also got this:

    "This site supports only older protocol versions, but not the most recent and more secure TLS 1.2"

    Looking further, it lacked both 1.1 and 1.2 so no BEAST attack mitigation.

    1. Paul Crawford Silver badge

      To add I that used:

  10. gc1

    Looking at various UK Internet banking sites most seem to return cipher suites in preferred order with TLS_RSA_WITH_RC4_128_SHA listed first, so that is used even where both the client and server support something stronger. If any banking admins are reading this maybe it is time to change the cipher suite preference order or set no preference order.

  11. big_D Silver badge


    Enable TLS 1.2 and disable SSL and TLS 1.0 and visit MS's, it tells you it can't display the page and you should enable TLS 1.0 and SSL 3!

  12. Cryptosmith

    Thank god someone in the media has finally noticed

    A few weeks ago I examined the top 20 or so English-speaking web sites - the overwhelming majority still use RC4 for "high security web connections." The overwhelming majority of financial sites I examined also use RC4.

    I don't understand how a browser can claim that a site provides "high security" when it uses RC4. Maybe there's a rule somewhere that makes it difficult/impossible to mark a previously-respected algorithm as being trash.

    RC4 has never been as strong as DES, which was discarded over a decade ago.

This topic is closed for new posts.

Other stories you might like