RC4 is a 28 year old cipher that has done remarkably well, but it is now the subject of several, significant attacks. The IETF has decided that RC4 is sufficiently bad to warrant a statement that it must no longer be used (RFC 7465). When Chrome makes an HTTPS connection it has an implicit duty to do what it can to ensure that the connection is secure. At this point, the use of RC4 in an HTTPS connection is falling below that bar.




Established standard

Status in Chromium


Removed (tracking bug) in:

  • Chrome for desktop release 48
  • Chrome for Android release 48
  • Chrome for iOS release 48
  • Android WebView release 48

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.


Search tags

rc4, tls, ssl,

Last updated on 2021-02-04