« OpenSSL Cookbook 2nd Edition released | Main | What's new in SSL Labs 1.16 »

SSL Labs RC4 deprecation plan

April 23, 2015

Nobody wants to use RC4. This well known stream cipher would have been retired long time ago if it weren't for several critical problems in SSL and TLS, problems that affect block ciphers only–for example, BEAST, Lucky 13, and POODLE. So RC4 ended up being the lesser evil.

Take BEAST, for example. There are mitigations for it (the so-called 1/n-1 split) in all major browsers, but there's also potentially a large number of users who are not updating their browsers (or operating systems). For POODLE, on the other hand, we don't have a workaround. Those who can disable SSLv3 are lucky, because they don't have to worry about this problem. Anecdotally, there are still many companies that can't do that. Small sites usually don't have to worry about these problems, but, for large companies, the worry is about the long tail of vulnerable clients.

So it seems that we have two large groups: in one corner are users with modern software. They support TLS 1.2 and modern cipher suites. They are safe. In the other corner we have those with old SSL/TLS stacks, who support TLS 1.0 at best; some of them might be vulnerable to the BEAST attack, and most of them to POODLE as well. At SSL Labs, we want to fully deprecate RC4, but we don't want to penalise those who continue to need this cipher to support old clients. After all, there are no publicly-known feasible attacks against RC4, but there are such attacks for BEAST and POODLE.

At the moment, when a server offers RC4, we cap the grade at B, because we deem that the server supports an undesirable encryption algorithm. Although it might be all right to continue to use RC4 in some cases, it's only fair to give a better grade to those servers that do not use it.

In the future, we're going to start differentiating between servers that use RC4 with everyone and those that use it only with older clients. If you're using RC4 only with SSL 3 and TLS 1.0, your grade will continue to be capped at B. However, if you're using RC4 with TLS 1.1 or a better protocol, the penalty will be harsher.

In order to give time to server operators to act, we will increase the penalty in two steps. The first change will be in May, about one month from now, when we will start penalising servers that use RC4 with modern clients. They will be capped at C (now B). Several months after that (tentatively September), we will increase the penalty to F.

To sum up:

  1. If you want the best grade, don't use RC4. This is the only recommended option.
  2. If you feel that you need to continue to use RC4 for older clients, you'll get a B if you properly configure your systems.
  3. Otherwise, the penalty for using RC4 with modern clients (TLS 1.1+) will increase to a C in about one month, and then an F in a couple of months after that.
MY BOOK: If you like this blog post, you will love Bulletproof SSL and TLS. For system administrators, developers, and IT security professionals, this book provides a comprehensive coverage of the ever-changing field of SSL/TLS and Internet PKI and will teach you everything you need to know to protect your systems from eavesdropping and impersonation attacks. It's available now.