You are here

Stout nails in RC4's coffin

Cipher disk

Two important announcements this week about RC4:

First, Cisco has downgraded the RC4 encryption cipher and marked it as a cipher to "avoid." In other words, web sites should NOT use it to protect things like passwords. This is a revision of their published recommendations for cryptographic algorithms.

Second, Microsoft has published a patch to disable RC4 in its operating systems. The patch removes RC4 as a cipher that the operating system itself will use, though individual applications may still use it if the choose. The software publisher has created a "SCH_USE_STRONG_CRYPTO" flag so applications can indicate that they don't want to use RC4. 

When I looked at RC4 usage a couple of weeks ago, I found that most major English-speaking web sites still use it. Even worse, most financial sites I looked at use it, even though RC4 opens a real risk of hackers sniffing financial credentials.

Post category: 
Wordpress tag: 

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer