Slashdot Mirror

← Back to Stories (view on slashdot.org)

Browser Makers To End RC4 Support In Early 2016

Posted by Soulskill on from the out-with-the-old dept.

msm1267 writes: Google, Microsoft and Mozilla today announced they've settled on an early 2016 timeframe to permanently deprecate the shaky RC4 encryption algorithm in their respective browsers. Mozilla said Firefox's shut-off date will coincide with the release of Firefox 44 on Jan. 26. Google and Microsoft said that Chrome and Internet Explorer 11 (and Microsoft Edge) respectively will also do so in the January-February timeframe. Attacks against RC4 are growing increasingly practical, rendering the algorithm more untrustworthy by the day.

40 comments

  1. Why wait? by Anonymous Coward · · Score: 0

    This comment was too short to post so we'll just have to add something here, now don't we.

    1. Re:Why wait? by TheCycoONE · · Score: 1

      Presumably so that people running servers who are not up in the know about cipher suites, now finally have some incentive to take a look (because they ignored earlier security reports - they didn't have any 'impact'). Once they find out they're using RC4 they need to figure out how to pick different ciphers, and maybe upgrade their web server and ssl library. Maybe it's far fetched, but browser makers are pretty conservative about 'breaking the web' for anyone.

    2. Re: Why wait? by Anonymous Coward · · Score: 0

      And you think they will get the memo this time?

      Trust me, it's the day when this is rolled out that they will notice.

    3. Re:Why wait? by Gr8Apes · · Score: 1

      I'd say slap big fat hairy warning signs about the web site being insecure today, and turn it off in the next release. The admins will figure it out very very quickly that something's rotten in their web site configuration.

      --
      The cesspool just got a check and balance.
  2. Older browsers by Anonymous Coward · · Score: 0

    Let's assume for a second that changing browsers isn't possible. Will this affect those of us who are stuck using older browsers, such as FireFox 10 and IE6?

    1. Re: Older browsers by Anonymous Coward · · Score: 0, Funny

      Yes. You're being left behind. If you don't have the money for a new system you're irrelevant to the Market. You'll be abandoned. Update or face the consequences.

    2. Re:Older browsers by jonwil · · Score: 3, Informative

      Assuming you aren't on a browser that is so old it doesn't support more secure algorithms (AES I believe is the one everyone should be using instead of RC4) then what will happen is that people still using RC4 certificates will switch to AES certificates and your browser will be more secure as a result.

    3. Re:Older browsers by arglebargle_xiv · · Score: 0

      Mozilla said Firefox's shut-off date will coincide with the release of Firefox 44 on Jan. 26.

      So they've already got a prediction for when they'll have managed to drive their market share down to zero? Wow, it's closer than I thought.

    4. Re:Older browsers by Anonymous Coward · · Score: 0

      You will be left behind, yes. You lot can't expect the rest of us to put up with your ancient stuff just because you don't want to upgrade.

      IE6 is about as old now, as my Amiga 1200 was when IE6 was launched. It's time to get over it. Sorry.

    5. Re: Older browsers by dreamchaser · · Score: 1

      Most people stuck using older browsers have to do so due to applications at work written specifically to the quirks of said browsers. Even an old, old personally owned system can be upgraded to newer browser versions.

    6. Re:Older browsers by rudy_wayne · · Score: 1

      Let's assume for a second that changing browsers isn't possible. Will this affect those of us who are stuck using older browsers, such as FireFox 10 and IE6?

      You're assuming that every website in the universe will automagically abandon RC4 between now and January.

      I have had to keep RC4 enabled because of websites I need to access who still use it. Yes, I tried to contact them, and yes, they are completely clueless.

    7. Re:Older browsers by ledow · · Score: 1

      In the same way nobody really writes web browsers for DOS anymore - yes.

      You might find a niche project that lets you bring those heap-of-old-junk browsers onto the net via some proxy or setting change or patch or similar, but it'll be unofficial and unsupported.

      And nobody with a website will care, they'll just tell you to upgrade. Like nobody will sell you new versions of Microsoft Office for DOS - stick with it on what you have and watch as you can't view other's content in newer formats, or upgrade.

      Nobody's saying leap to Windows 10 here. We're saying stop using a browser that's over THREE TIMES AS OLD as an obsolete computer (e.g. 2001 for IE6) to secure your banking transactions when it has known security flaws that CANNOT be fixed.

    8. Re: Older browsers by quetwo · · Score: 1

      Keep one old browser for that specific application, and upgrade the rest. I still keep my copy of Firefox downgraded to some stupid old version because of my ERP system, but I use Chrome at the latest.

    9. Re:Older browsers by arth1 · · Score: 1

      Nobody's saying leap to Windows 10 here. We're saying stop using a browser that's over THREE TIMES AS OLD as an obsolete computer (e.g. 2001 for IE6)

      Obsolete? Let me check my main computer.
      % grep name /proc/cpuinfo
      model name : Intel(R) Pentium(R) III CPU family 1133MHz
      A browser three times that age would have had to be made in 1973...

      But it's not even obsolete. It runs up-to-date patched software, does all its tasks, and handles admirably. It's no more obsolete than a well maintained car from 2001 is.

    10. Re: Older browsers by Anonymous Coward · · Score: 0

      Have it rewritten or move on. You can't stop progress. If your business depends on obsolete hardware and software, find another business or clear the road for better entrepreneurs.

    11. Re: Older browsers by Gr8Apes · · Score: 2

      Keep one old browser for that specific application, and upgrade the rest. I still keep my copy of Firefox downgraded to some stupid old version because of my ERP system, but I use Chrome at the latest.

      Because sending all my browsing habits to Google is secure!

      --
      The cesspool just got a check and balance.
    12. Re:Older browsers by Anonymous Coward · · Score: 0

      How do you manage that? I know the latest version of Chrome/Chromium will not run on a Pentium 3 computer at all due to not having SSE2 support. I am sure that Firefox is the same by now. So unless you are using qemu's full CPU emulation to fake it good luck.

    13. Re:Older browsers by Anonymous Coward · · Score: 0

      If you compile it yourself it would run just fine...

    14. Re:Older browsers by Anonymous Coward · · Score: 0

      The encryption used is not based on the certificate it is negotiated as part of the certificate exchange.
      Disabling the insecure negotiation algorithms (SSL 2, SSL 3, TLS 1.0) has more of an impact as some browser OS combo's like IE 8 on XP do not support TLS 1.1 or TLS 1.2, in point of fact unless MS back-ports support for TLS 1.1 and TLS 1.2 users prior to Windows 7 with IE 11 will be left out in the cold once PCI-DSS 3.1 deadlines hit if they are using IE.

      We have already disabled RC4 on our web servers, the RC4 people typically have 3DES also so that is what they have available to use.

    15. Re: Older browsers by Anonymous Coward · · Score: 0

      Use chromium instead then.

    16. Re:Older browsers by Opyros · · Score: 1

      nobody really writes web browsers for DOS anymore

      As a matter of fact, a gopher browser(!) for DOS just got a new version.

    17. Re:Older browsers by arth1 · · Score: 1

      If you compile it yourself it would run just fine...

      Bingo. Gentoo is very nice that way.

    18. Re:Older browsers by Anonymous Coward · · Score: 0

      You're assuming that every website in the universe will automagically abandon RC4 between now and January.

      I have had to keep RC4 enabled because of websites I need to access who still use it. Yes, I tried to contact them, and yes, they are completely clueless.

      Do you have 3DES enabled?

    19. Re:Older browsers by Anonymous Coward · · Score: 0

      It's good to poke fun at this, but it's a real issue for some corporations. I work a company that offers products to fortune 500s. We were shocked at how many clients are still using IE on Windows XP. I cannot shut off these ciphers as much as I (and our security people) want to without closing down applications to clients. Think about companies that don't fit the "desk" profile. Mining companies, retail stores ...where employees get access through kiosks. These kiosks live longer than old arcade games...or at least it feels that way right now.

      Though disabled by default, it appears that old IE versions can be configured to support more modern ciphers.

  3. I hope not by Viol8 · · Score: 1

    I'm waiting for Firefox 69 - Porn Edition to be released. The way their version numbers are going up that'll be around this time next year.

    1. Re:I hope not by l0n3s0m3phr34k · · Score: 1

      I'm hoping version 42 will have come type of reference in it, but I don't know if the coders are the type to always have a towel with them.

    2. Re:I hope not by Anonymous Coward · · Score: 0

      They look all wet to me....

    3. Re:I hope not by Flavianoep · · Score: 1

      If Firefox 44 comes in Jan., 2016, I guess that by the end of the year they will have caught up with Google Chrome.

      --
      Linux is for people who don't mind RTFM.
    4. Re: I hope not by BarbaraHudson · · Score: 1

      Firefox 69 the porn edition will down on you on a regular basis. Their marketing motto will be "Firefox 69 sux even more".

      --
      "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
    5. Re: I hope not by arglebargle_xiv · · Score: 1

      Firefox 69 the porn edition will down on you on a regular basis. Their marketing motto will be "Firefox 69 sux even more".

      Years ago, back in the days of IE 6, I had a t-shirt made that said "Firefox sucks less". Your comment there just reminded me that if I'd had the same shirt done today, it'd have to be "Firefox sucks more". Sigh.

  4. How will this affect me... by Anonymous Coward · · Score: 0

    As a Windows XP user?

    1. Re: How will this affect me... by Anonymous Coward · · Score: 0

      As long as you update your Firefox you will be fine.

  5. RC4 by rossdee · · Score: 1

    end support for Release Candidate 4?

    Does this mean there will be fewer (beta) versions?

  6. What about Cyberdog? by Anonymous Coward · · Score: 0

    I still run Cyberdog on my System 7 Quadra box. What options do I have?

    1. Re: What about Cyberdog? by 0xdeaddead · · Score: 1

      Maybe one of those new powermac with a 601 powerpc and system 8.5!

      Or just install a/ux and build a ssl proxy

    2. Re:What about Cyberdog? by tepples · · Score: 1

      I still run Cyberdog on my System 7 Quadra box. What options do I have?

      Buy a modern Mac mini and see how many of the apps on your Quadra also run in Basilisk II.

  7. PCI 3.1 compliance is also killing RC4, ie8 dead? by Anonymous Coward · · Score: 0

    Will ie8 finally die when people can't use it to purchase things on the internet anymore?

  8. Windows 2003 servers by Anonymous Coward · · Score: 0

    Basically, this most affects Windows 2003 servers (they're already EOL, but they do exist). Their highest level of properly functioning cipher is RC4.

  9. Cut + Paste broken at threatpost.com by Anonymous Coward · · Score: 0

    Looks like threatpost.com is using javascript to "protect" its content from Cutting and Pasting. The automatically append 2 newlines and "See more at: Google, Mozilla, Microsoft to Sever RC4 Support in Early 2016 https://wp.me/p3AjUX-tMK" to the copied text. Very annoying.