Home > Encryption, Security > Deactivating RC4 in mainstream browsers

Deactivating RC4 in mainstream browsers

Although for IT guys this is pretty much well known, but with all the revelations of the last weeks and months, some sort of security awareness grew within the crowd of non-IT people. So over christmas i was asked by several people out of my family on how to disable insecure encryption from their browsers as they learned that most of the browsers still use an outdated encryption algorithm: RC4

So while assisting members of my family or non-IT friends in securing their systems with these little steps, i did came across a bunch of mainstream browsers i’d like to share the necessary settings to deactivate RC4.

Unfortunately i’ve not found any way to disable RC4 ciphers in Safari. So if someone has a hint, please let me know through the comments and i’ll add it to the post.

Firefox

If you’re using Firefox like i do, open a new firefox session (a new window or tab) and type the URL about:config into the address bar. You should see a warning page appearing, telling you that everything beyond that will be out of warranty. Klick the button acknowledging that you’ll be careful. You should see a window looking pretty much like this (of course in your configured language).

Firefox - about:config

The really good thing here: the name of the keys are english anyways, so there’s no way to miss the keys we’re looking for.

Within the search box type „RC4“. Your list should reduce automatically to six keys:

Firefox RC4 1

 Flip all of them from their standard configuration true to a custom configuration false by double clicking them. Firefox will bold them automatically as soon as you’ve changed them which is a good verifier. By closing the window or tab your Firefox is no longer using RC4 and you’re just a bit more secure.

Internet Explorer

If you’re using Microsoft Internet Explorer, you’ve to tweak your registry. Therefor you have to create the following keys in the hive „HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CIPHERS“ using a registry editor and setting and DWORD value called „ENABLED“ with the value of 00000000:

  1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
  2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
  3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
There also should be an update that’s about to disable the weak RC4 encryption on windows systems but sometimes it’s better to double things up.
 
Chrome / Chromium
 
If you’re using Chrome or Chromium you’ve to add the the RC4 ciphers that should be deactivated as a blacklist in the command line that is starting your browser. The odd part about this: there is no documentation about that. Everything has to be looked up in the code (which is open). So your new command line will look like this:
 

chromium-browser –cipher-suite-blacklist=0x0001,0x0002,0x0004,0x0005,0x0017,0x0018,0xc002,0xc007,0xc00c,0xc011,0xc016,0xff80,0xff81,0xff82,0xff83

 Opera
 
I’ve not found anything reg. RC4 in the settings of Opera. Searching the Internet just brought up that you’re increasing your security by disabling anything using MD5 in Opera (potentially causing some issues with pages offering MD5 only) by using the extended menu, security options, security protocoly, details and disabling all MD5 based methods. 
Attention: i’ve not tested this one on my own so please be careful.
 
Last but not least
 
Last but not least i’d like to share a link to check which ciphers are leveraged by you’re browser of choice: https://cc.dcsec.uni-hannover.de
Advertisements
Categories: Encryption, Security
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: