Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Operating Systems The Internet Windows Communications Encryption Microsoft Network Networking Privacy Security Software

Microsoft Disables RC4 In Internet Explorer 11 and Edge (winbeta.org) 40

An anonymous reader quotes a report from WinBeta: Microsoft released KB3151631 as part of today's Patch Tuesday set of updates that will disable RC4 in both Internet Explorer 11 on Windows 7 and later and in the Edge browser on Windows 10. As the company describes things: "RC4 is a stream cipher that was first described in 1987, and has been widely supported across web browsers and online services. Modern attacks have demonstrated that RC4 can be broken within hours or days. The typical attacks on RC4 exploit biases in the RC4 keystream to recover repeatedly encrypted plaintexts. In February 2015, these new attacks prompted the Internet Engineering Task Force to prohibit the use of RC4 with TLS. Previously, Microsoft Edge and Internet Explorer 11 allowed RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0. A fallback to TLS 1.0 with RC4 is most often the result of an innocent error, but this is indistinguishable from a man-in-the-middle attack. For this reason, RC4 is now entirely disabled by default for Microsoft Edge and Internet Explorer users on Windows 7, Windows 8.1 and Windows 10."
This discussion has been archived. No new comments can be posted.

Microsoft Disables RC4 In Internet Explorer 11 and Edge

Comments Filter:
  • by Anonymous Coward

    If you want security, only use open source browsers on an open source OS like Linux. Disable Edge and IE. And disable Windows. Only an open source browser on Firefox running on an open source OS like Linux can truly be secure. All the millions of people looking over the source code ensures bugs are discovered and fixeded quickly. I mean, it's great that Microsoft removes insecure ciphers, but open source is much faster to disable insecure ciphers like RC4.

    • Re: (Score:1, Interesting)

      by Anonymous Coward
      perhaps you might want to go and look at the security vulnerabilities reports for the past few years. IE and Edge suck, but chrome, firefox etc suck even worse.
    • by BradMajors ( 995624 ) on Tuesday August 09, 2016 @06:41PM (#52674933)

      All the millions of people looking over the source code ensures bugs are discovered and fixeded quickly.

      Nope. There are many open source projects that have known security bugs which remain unfixed after as long as ten years.

      • Re: (Score:1, Insightful)

        by Narcocide ( 102829 )

        Yea, but nobody who knows what they're talking about takes noob complaints about BASH vulnerabilities seriously. Sometimes you simply ARE using the wrong tool for the job. I know you Windows users hate being told that though.

        • What about Heartbleed? That was pretty bad.

          I mean, it's not like OpenSSL had a serious vulnerability in its production codebase for years that affected the numerous applications dependent on it.

          It's not like major enterprise vendors such as Cisco and VMware included that code as part of their products.

          • Heartbleed was vulnerable upstream for a very long time. It didn't survive very long after being pushed to Debian stable before it was noticed though. You are probably vastly mistaken about the percentage of critical systems running bleeding-edge builds of stuff in the real world.

      • by Anonymous Coward
        Yes, Eric Raymond's Cathedral Bazaar assumed just because source is available people will read it. Just because people can do something doesn't mean they will. They need incentive. Around major open source projects there are enough numbers and focus to allow this, but most open source software has a very small number of people supporting it, if any. Why would I waste my time reading someone else's source code looking for bugs which might be there, or might not be? Even security holes, which I'm not likely t
        • Yea but just imagine what they could accomplish if they were funded even half as well as your average Microsoft product.

      • All the millions of people looking over the source code ensures bugs are discovered and fixeded quickly.

        Nope. There are many open source projects that have known security bugs which remain unfixed after as long as ten years.

        OpenSSL being case in point.

    • Re: (Score:3, Informative)

      Only an open source browser on Firefox running on an open source OS like Linux can truly be secure. All the millions of people looking over the source code ensures bugs are discovered and fixeded quickly.

      You mean this Firefox or a different one?

      https://it.slashdot.org/story/... [slashdot.org]

  • by Impy the Impiuos Imp ( 442658 ) on Tuesday August 09, 2016 @06:39PM (#52674923) Journal

    It was pointless at this point. Security agencies don't need to waste "hours or days" decrypting weak schemes when they can just use provided backdoors anyway.

    • by cryptizard ( 2629853 ) on Tuesday August 09, 2016 @06:46PM (#52674951)
      Pretty sure most people are worried about attackers other than the government.
      • by SeaFox ( 739806 )

        Pretty sure most people are worried about attackers other than the government.

        Well thank goodness those backdoors only work for the government, and only when the government is doing the "right" thing, and nobody who knows about the backdoors has ever left the government and joined a criminal organization, and the criminals haven't managed to into government jobs ever.

  • by Anonymous Coward

    Dump-a-Drumpf 2016/Forever

  • Microsoft Hypocrisy (Score:4, Informative)

    by Anonymous Coward on Tuesday August 09, 2016 @06:50PM (#52674973)
    Disables old insecure cipher, while riddling Windows 10 full of spyware [extremetech.com].
    • There's nothing hypocritical about it. They are two different things with two different implications. One is about giving the parent entity customer data, the other is preventing other unauthorised people from accessing encrypted data.

  • by Anonymous Coward

    Someone may want to notify HP, Dell and Sun Micro...whoops! Oracle.

    There is a lot of old console interface hardware with baked in low-grade self-signed SSL certs that may never go away.

    Between that and servers using old Java-base consoles some technologies never seem to die.

    It's not like the vendors couldn't patch them. There is just no money in it. Or to be precise current TLS support in your hardware console is another feature to "encourage" an upgrade.

    • by darkain ( 749283 )

      And just for this, is EXACTLY why I still have a Windows XP virtual machine with IE6 and Java 6 on it just to handle administration tasks on legacy equipment. But that VM is locked down to just those tasks on that private network, and never powered on otherwise.

      The hardware in question? Ancient laser printers from the 1990's, more specifically the HP 2100 LaserJet series. They may be a little slow and clunky, but they NEVER fail! And they still have driver support on Windows 10. Can't even tell ya how many

  • by kimvette ( 919543 ) on Tuesday August 09, 2016 @08:44PM (#52675387) Homepage Journal

    Both remaining MSIE users will never notice the difference.

  • Is this submission saying that Release Candidate 4 of IE 11 AND Edge were pulled? I didn't even know there was a Release Candidate 3!
  • by SuperKendall ( 25149 ) on Tuesday August 09, 2016 @11:02PM (#52675907)

    Apple is dropping RC4 support in iOS10.

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...