14 DAY TRIAL // With the release of Windows update KB3151631 on August 9, 2016, Microsoft has officially removed support for the RC4 cipher in its browsers, Internet Explorer 11 and Edge.
The company initially announced these changes in September 2015, as part of similar statements made by other browser vendors such as Google and Mozilla, who too are in the process of removing RC4 support.
For many years, RC4 has been considered an insecure encryption stream cipher after security researchers demoed attacks that broke RC4 keystreams in as little as a few hours.
Regardless, RC4 has remained a popular key cipher choice in products such as WEP, WPA, SSH, TLS/SSL, RDP, PDF, Kerberos, SASL, Skype, BitTorrent, and more.
RC4 received the deathblow in February 2015, when the Internet Engineering Task Force (IETF) banned the usage of RC4 in TLS anymore. Soon after, software vendors started phasing out support.
Edge and IE11 did not feature RC4 as a primary stream cipher choice but only used it during fallback from TLS 1.2 or 1.1 to TLS 1.0. In most cases, this fallback was caused by implementation errors, but attackers could force this downgrade and carry out MitM attacks on encrypted traffic.
"For this reason, RC4 is now entirely disabled by default for Microsoft Edge and Internet Explorer users on Windows 7, Windows 8.1 and Windows 10," Brent Mills, Senior Program Manager, Windows Experience explained.
Microsoft had previously advised companies to disable RC4 support in their products and upgrade to using TLS 1.2 since 2013.