- Aug 22, 2014
- 1,027
How to block the insecure RC4 cipher in Firefox and Chrome
by Martin Brinkmann on July 19, 2015 in Security - Last Update: July 19, 2015 0
Whenever you connect to a secure website using Firefox or any other modern browser, negotiations happen in the background that determine what is being used to encrypt the connection.
RC4 is a stream cipher that is currently supported by most browsers even though it may only be used as a fallback (if other negotiations fail) or for whitelisted sites.
Exploits have come to light in recent time that take advantage of weaknesses in RC4 which allow attackers to run attacks in a reasonable time frame, for instance to decrypt web cookies which often contain authentication information.
Mozilla wanted to remove RC4 from Firefox completely initially in version 38 or 39 of the browser but decided against it based on telemetry data. As it stands right now, RC4 won't be disabled in Firefox 39 or 40.
Tip: you can check if your web browser is vulnerable by visiting this RC4 website. If you see red notifications on the page after the text has been conducted it means that it is vulnerable to attacks.
It needs to be noted that other browsers, Google Chrome for instance, are vulnerable as well. Google is apparently also working on dropping RC4 support completely in Chrome
Full aricle here
by Martin Brinkmann on July 19, 2015 in Security - Last Update: July 19, 2015 0
Whenever you connect to a secure website using Firefox or any other modern browser, negotiations happen in the background that determine what is being used to encrypt the connection.
RC4 is a stream cipher that is currently supported by most browsers even though it may only be used as a fallback (if other negotiations fail) or for whitelisted sites.
Exploits have come to light in recent time that take advantage of weaknesses in RC4 which allow attackers to run attacks in a reasonable time frame, for instance to decrypt web cookies which often contain authentication information.
Mozilla wanted to remove RC4 from Firefox completely initially in version 38 or 39 of the browser but decided against it based on telemetry data. As it stands right now, RC4 won't be disabled in Firefox 39 or 40.
Tip: you can check if your web browser is vulnerable by visiting this RC4 website. If you see red notifications on the page after the text has been conducted it means that it is vulnerable to attacks.
It needs to be noted that other browsers, Google Chrome for instance, are vulnerable as well. Google is apparently also working on dropping RC4 support completely in Chrome
Full aricle here