After years of security experts demanding the RC4 stream cipher be
deprecated, Google, Mozilla, and Microsoft announced Tuesday they will
officially remove the encryption algorithm from respective Web browsers
by early 2016.
Introduced in 1987, RC4 is a stream cipher widely used in various
communications protocols to encrypt packets from eavesdroppers. Web
applications and VPNs have used RC4 to protect sensitive network
traffic, for example. However, researchers have uncovered multiple
vulnerabilities over the years illustrating how attackers can decrypt
messages secured with RC4 within days. Experts recommend switching to
stronger cryptography alternatives instead.
Mozilla will lead the way with Firefox 44, scheduled for release on Jan.
26, 2016. RC4-free versions of Chrome, Internet Explorer 11, and
Microsoft Edge will be available by the end of February 2016. Apple did
not respond to queries regarding its plans for Safari, nor did Opera
Software.
At the moment, TLS will try to negotiate a handshake using a strong
cipher, but if the client trying to connect is using a weaker protocol,
TLS will fall back to less robust alternatives. For example, Microsoft
Edge and Internet Explorer 11 use RC4 only when falling from TLS 1.2/1.1
to TLS 1.0. With the change, if the servers try to use RC4, the
browsers will fail and users won’t be able to connect to the server or
Web application.
“This move is basically [the browsers] saying, ‘Instead of backing off
to a sketchy cipher solution, we'll fail closed,’” said Scott Petry,
co-founder and CEO of Authentic8.
The announcement is long overdue and one the information security
community knew was coming. Microsoft has been telling developers to drop
RC4 from their applications since 2013. “In light of recent research
into practical attacks on biases in the RC4 stream cipher, Microsoft is
recommending that customers enable TLS 1.2 in their services and take
steps to retire and deprecate RC4 as used in their TLS implementations,”
wrote Microsoft’s William Peteroy in a blog post at the time. (Peteroy is now at security startup Icebrg.io.)
The official recommendation was to use TLS 1.2 with AES-GCM. Cisco made
similar recommendations to its customers. In February, the Internet
Engineering Task Force said TLS clients and servers should never
negotiate the use of RC4 when establishing connections.
From a practical standpoint, the changes to the browsers won’t have a
visible impact, as the number of users using RC4 is very, very low.
Google’s Adam Langley noted that only 0.13 percent of HTTPS connections
made by Chrome users (who have opted into statistics collection)
currently go through RC4. About 0.08 percent of Firefox users still work
with RC4, said Mozilla security engineer Richard Barnes.
In fact, 42 percent of servers worldwide currently do not support RC4,
according to current data from SSL Pulse. The remaining servers support
an RC4-enabled connection, but that doesn’t necessarily mean the servers
are creating RC4 sessions, said Kevin Bocek, vice president of security
strategy at Venafi. CloudFlare deprioritized RC4 from all its servers
back in 2014 and found that only 0.0009 percent of traffic actually
attempted to connect to its servers using the weaker cipher.
“For most users this is already a nonissue,” Bocek said. There have been
ways to disable RC4 in Internet Explorer and on the server side since
at least 2013. The announcement illustrates exactly how long it takes to
properly deprecate cryptographic algorithms. It has been a “a long
farewell to RC4,” he said.
Over the past decade, researchers have demonstrated how attackers can
break RC4 and decrypt protected messages, given enough time and
processing power. Documents stolen by Edward Snowden revealed
intelligence agencies in the United States and United Kingdom were
capable of breaking RC4 encryption. Last month, two Belgian security
researchers at the Usenix Security Symposium described how an attacker
could capture a victim’s cookie and decrypt it within 75 hours, making
attacks against RC4 more practical and attainable.
Back in March, researchers from Johns Hopkins University and the
University of London illustrated how attackers could target RC4 to
harvest user passwords. The continued use of RC4 in TLS is "increasingly
indefensible," and attacks against the scheme are getting better and
easier, wrote Christina Garman, a doctoral student at Johns Hopkins
University; Kenny Paterson, a professor with the Information Security
Group at Royal Holloway, University of London; and Thyla van der Merwe, a
research student at Royal Holloway, University of London.
RC4 “needs to die,” wrote Garman, Paterson, and van der Merwe in the paper's abstract.
Die it shall, when major browsers stop supporting RC4 early next year.
If developers are still using RC4, it's past time they stopped, and
administrators need to get cracking on properly securing their servers.
Post a Comment