It's time to say goodbye to RC4, finally.

Pale Moon releases and site news
User avatar
Pale Moon guru
Pale Moon guru
Posts: 26648
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E

It's time to say goodbye to RC4, finally.

Post by Moonchild » 2015-02-23, 21:35

Remember, a little over a year ago, when I made the decision to disable RC4 ciphers by default?
Pale Moon release notes for 24.1.0 wrote:Two SSL ciphers that are considered weak are disabled by default (RSA-RC4-128-MD5 and RSA-RC4-128-SHA). If you are having trouble reaching certain encrypted sites that exclusively use these encryption methods, you should ask the site owners to update their SSL configuration to allow stronger encryption.
I was ahead of time there, apparently, as it caused too many issues for too many people, forcing me to revert this a week later in 24.1.1.
RC4 has been at the bottom end of the priority list of ciphers in Pale Moon, meaning it would only be used as a last resort.

How much things can change in a year, sometimes... :)

The internet has moved on, and with the emergence of RFC 7465, Cloudflare disabling RC4 permanently on all of its (millions) of SSL websites, and there being whispers in the academic circles of a different, much easier attack on RC4 to break its encryption, I'll be switching RC4 off again in Pale Moon 25.3.

This is a change of a default setting and if you really, really need it, you can re-enable RC4 again in the browser (e.g. by using Pale Moon Commander) for as long as you need it (there are currently no plans to actually remove the cipher from the back-end). If you must enable a deprecated cipher, at this point I actually would suggest 3DES (the ciphers in Pale Moon Commander indicated with DES-EDE3) over RC4 because from a cryptographic point of view, it doesn't suffer from the type of known weaknesses that have surfaced for RC4.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose