Remove RC4 (removed)

RC4 is a 28 year old cipher that has done remarkably well, but it is now the subject of several, significant attacks. The IETF has decided that RC4 is sufficiently bad to warrant a statement that it must no longer be used (RFC 7465). When Chrome makes an HTTPS connection it has an implicit duty to do what it can to ensure that the connection is secure. At this point, the use of RC4 in an HTTPS connection is falling below that bar.

Demo

• https://rc4.badssl.com

Documentation

• https://groups.google.com/a/chromium.org/forum/#!msg/security-dev/kVfCywocUO8/vgi_rQuhKgAJ

Specification

Established standard

Status in Chromium

Blink components: Blink

Removed (launch bug) in:

• Chrome for desktop release 48
• Chrome for Android release 48
• Chrome for iOS release 48
• Android WebView release 48

Consensus & Standardization

• Firefox: In development
• Edge: In development
• Safari: No public signals
• Web Developers: No signals

Owners

• davidben@chromium.org
• rsleevi@chromium.org
• agl@chromium.org

Last updated on 2017-06-14