Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Disables RC4 In Internet Explorer 11 and Edge (winbeta.org)

Posted by BeauHD on from the decades-later dept.

An anonymous reader quotes a report from WinBeta: Microsoft released KB3151631 as part of today's Patch Tuesday set of updates that will disable RC4 in both Internet Explorer 11 on Windows 7 and later and in the Edge browser on Windows 10. As the company describes things: "RC4 is a stream cipher that was first described in 1987, and has been widely supported across web browsers and online services. Modern attacks have demonstrated that RC4 can be broken within hours or days. The typical attacks on RC4 exploit biases in the RC4 keystream to recover repeatedly encrypted plaintexts. In February 2015, these new attacks prompted the Internet Engineering Task Force to prohibit the use of RC4 with TLS. Previously, Microsoft Edge and Internet Explorer 11 allowed RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0. A fallback to TLS 1.0 with RC4 is most often the result of an innocent error, but this is indistinguishable from a man-in-the-middle attack. For this reason, RC4 is now entirely disabled by default for Microsoft Edge and Internet Explorer users on Windows 7, Windows 8.1 and Windows 10."

5 of 40 comments (clear)

  1. Disable Edge and IE by Anonymous Coward · · Score: 2, Insightful

    If you want security, only use open source browsers on an open source OS like Linux. Disable Edge and IE. And disable Windows. Only an open source browser on Firefox running on an open source OS like Linux can truly be secure. All the millions of people looking over the source code ensures bugs are discovered and fixeded quickly. I mean, it's great that Microsoft removes insecure ciphers, but open source is much faster to disable insecure ciphers like RC4.

    1. Re:Disable Edge and IE by Narcocide · · Score: 1, Insightful

      Yea, but nobody who knows what they're talking about takes noob complaints about BASH vulnerabilities seriously. Sometimes you simply ARE using the wrong tool for the job. I know you Windows users hate being told that though.

  2. Hours or days vs. nanoseconds to spy by Impy+the+Impiuos+Imp · · Score: 2, Insightful

    It was pointless at this point. Security agencies don't need to waste "hours or days" decrypting weak schemes when they can just use provided backdoors anyway.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
    1. Re:Hours or days vs. nanoseconds to spy by cryptizard · · Score: 4, Insightful

      Pretty sure most people are worried about attackers other than the government.

  3. ancient management consoles by Anonymous Coward · · Score: 2, Insightful

    Someone may want to notify HP, Dell and Sun Micro...whoops! Oracle.

    There is a lot of old console interface hardware with baked in low-grade self-signed SSL certs that may never go away.

    Between that and servers using old Java-base consoles some technologies never seem to die.

    It's not like the vendors couldn't patch them. There is just no money in it. Or to be precise current TLS support in your hardware console is another feature to "encourage" an upgrade.