Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Disables RC4 In Internet Explorer 11 and Edge (winbeta.org)

Posted by BeauHD on from the decades-later dept.

An anonymous reader quotes a report from WinBeta: Microsoft released KB3151631 as part of today's Patch Tuesday set of updates that will disable RC4 in both Internet Explorer 11 on Windows 7 and later and in the Edge browser on Windows 10. As the company describes things: "RC4 is a stream cipher that was first described in 1987, and has been widely supported across web browsers and online services. Modern attacks have demonstrated that RC4 can be broken within hours or days. The typical attacks on RC4 exploit biases in the RC4 keystream to recover repeatedly encrypted plaintexts. In February 2015, these new attacks prompted the Internet Engineering Task Force to prohibit the use of RC4 with TLS. Previously, Microsoft Edge and Internet Explorer 11 allowed RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0. A fallback to TLS 1.0 with RC4 is most often the result of an innocent error, but this is indistinguishable from a man-in-the-middle attack. For this reason, RC4 is now entirely disabled by default for Microsoft Edge and Internet Explorer users on Windows 7, Windows 8.1 and Windows 10."

4 of 40 comments (clear)

  1. Re:Disable Edge and IE by BradMajors · · Score: 4, Informative

    All the millions of people looking over the source code ensures bugs are discovered and fixeded quickly.

    Nope. There are many open source projects that have known security bugs which remain unfixed after as long as ten years.

  2. Microsoft Hypocrisy by Anonymous Coward · · Score: 4, Informative

    Disables old insecure cipher, while riddling Windows 10 full of spyware.

  3. More eyeballs is a myth by Anonymous Coward · · Score: 3, Informative

    Yes, Eric Raymond's Cathedral Bazaar assumed just because source is available people will read it. Just because people can do something doesn't mean they will. They need incentive. Around major open source projects there are enough numbers and focus to allow this, but most open source software has a very small number of people supporting it, if any. Why would I waste my time reading someone else's source code looking for bugs which might be there, or might not be? Even security holes, which I'm not likely to find anyway? Bug bounties are a poor incentive too: you might work your guts out on a piece of code, find nothing, and not be able to pay the rent. You're right not to trust Microsoft at all, but open source has a serious problem with the economics of lack of incentive.

  4. Re:Disable Edge and IE by WaffleMonster · · Score: 2, Informative

    Only an open source browser on Firefox running on an open source OS like Linux can truly be secure. All the millions of people looking over the source code ensures bugs are discovered and fixeded quickly.

    You mean this Firefox or a different one?

    https://it.slashdot.org/story/...