September 1, 2015 10:15 am

Ending support for the RC4 cipher in Microsoft Edge and Internet Explorer 11

Today, Microsoft is announcing the end-of-support of the RC4 cipher in Microsoft Edge and Internet Explorer 11. Starting in early 2016, the RC4 cipher will be disabled by-default and will not be used during TLS fallback negotiations.

There is consensus across the industry that RC4 is no longer cryptographically secure. Our announcement aligns with today’s announcements from Google and Mozilla, who are ending support for RC4 in Chrome and Firefox.

What is RC4?

RC4 is a stream cipher that was first described in 1987, and has been widely supported across web browsers and online services. Modern attacks have demonstrated that RC4 can be broken within hours or days. The typical attacks on RC4 exploit biases in the RC4 keystream to recover repeatedly encrypted plaintexts. In February 2015, these new attacks prompted the Internet Engineering Task Force to prohibit the use of RC4 with TLS.

Microsoft Edge and Internet Explorer 11 only utilize RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0. A fallback to TLS 1.0 with RC4 is most often the result of an innocent error, but this is indistinguishable from a man-in-the-middle attack. For this reason, RC4 will be entirely disabled by default for all Microsoft Edge and Internet Explorer users on Windows 7, Windows 8.1 and Windows 10 starting in early 2016.

How can I prepare?

We expect that most users will not notice this change. The percentage of insecure web services that support only RC4 is known to be small and shrinking.

If your web service relies on RC4, you will need to take action. Since 2013, Microsoft has recommended that customers enable TLS 1.2 in their services and remove support for RC4. For additional details, please see Security Advisory 2868725.

– Alec Oot, Program Manager, Customer Experience

Updated September 1, 2015 2:22 pm

Join the conversation

  1. Any news :- suggesting since Feb , but nobody listening ( even though available in all Modern well-developed Browser from Chrome , Opera , UC browser , Safari )

    – Automatic bing translation on Lumia + pc
    * Can’t able to download files more then 1gb from Mega Cloud storage ( it says you need more modern efficient browser to download )

    * I am downloading files ( if I press clear all browsing – it will turn current downloading into Partial and stopped ) but in All modern browser : it only clear previously download and current downloading will continue

    * Right click on favorite bookmark to create new folder and right click on new folder to rename and create sub-folder

    * Right click on favorite bookmark to rename bookmark

    * ability to move bookmark from one folder to another

    Please – these are available in all Well developed Modern browser

    • and also files downloading don’t show ( Net speed , total file size and currently mb/gb downloaded from it )

      but available in all Big brand Browser

    • Hi Aakash,

      Thanks for your input. The best place for feature requests like the above is the Send Feedback tool in the browser, or the Microsoft Edge uservoice page here: https://windows.uservoice.com/forums/285214-microsoft-edge. This blog is focused on the developer audience and the web platform, so it generally isn’t the place to discuss client app features like those listed above.

  2. Thanks guys.

    I was looking at a hand crafted crypto suite list (for Schannel) yesterday and noticed that the RC4’s put in there (involuntarily) had been removed. Guess that was an update. I’d prefer a polite notification but good to see them gone.

    We might look back in a few years and shake our heads at those ECDHE’s too!

  3. @AAKASH SHARMA:
    The thing with Mega isn’t really just Edge.
    The site tries to get you to use a plugin to download files larger than 1GB. But since Edge doesn’t yet have a plugin model, it assumes that it is IE that is viewing the page and comes up with that. If you look, it also says that it detected you using IE.
    The Edge team has already announced that a plugin model will become available at some point. I think it was something like around the first or second big Windows 10 rollup. So for that, it is just a matter of waiting.
    If you want the feedback to be received more efficiently, the browser itself does have a send feedback option. This would be better than posting in comments on a blog.

  4. Thanks guys. Happy that RC4 is finally going away.

    Do have concern over Google’s announcement at “http://googleonlinesecurity.blogspot.sg/2015/09/disabling-sslv3-and-rc4.html”.

    Under “Minimum standards for TLS clients”, clients are expected to support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher. This is OK for Windows 10. However, IE on Win 7/8 and Server 2008/2012 do not support this cipher. So how do we connect to Google GMail or YouTube? Make Google API calls?

    For desktop clients, we can install another browser though we prefer IE.
    But what about .NET applications that use the same SCHANNEL protocol?
    Any plans to add TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher support to Win 7/8 and Server 2008/2012?