I was trying to figure out why my libreoffice-bin is throwing an error when I came across Deactivating the RC4 cipher in Firefox, then I searched for some information about why doing such.

According to Wikipedia:

A double-byte bias attack on RC4 in TLS and SSL that requires 13 × 220 encryptions to break RC4 was unveiled on 8 July 2013, and it was described as “feasible” in the accompanying presentation at the 22nd USENIX Security Symposium on August 15, 2013. Microsoft recommends disabling RC4 where possible.

Little farther down the excerpt, it says “36.2% (-0.3%) support RC4 suites used with modern browsers” and only “7.6% (+0.3%) not support.” To be honest, I don’t have any clue how the attack is done since I am definitely not possessing any knowledge of Internet security by my own judgment.

However, since there are more far more secured ciphers available, current websites generally support those, and browsers (or protocol?) would choose most secured method (High-grade Encryption) to communicate, therefore I decided it might be a good idea just to disable RC4.

1   Testing available ciphers

You can use the following sites to see a list of ciphers available in your browser, which shouldn’t have RC4 listed once you disable those settings:

2   Disabling in Firefox

2.1   Since Firefox 44

Mozilla has planned to disable RC4 by default on January 26, 2016 with Firefox 44 release. You do not need to anything from this version on. RC4 is gone for good.

2.2   Since Firefox 36

Since February, 2015 with Firefox 36, RC4 has become fallback-only option via security.tls.unrestricted_rc4_fallback. If you want to turn RC4 cipher off, just set the option off and you will be done.

2.3   Before Firefox 36

The steps are easy, just go to about:config and search for rc4, then disable the following six entires by double-clicking on each one to disable them, that is values set to all false:

  • security.ssl3.ecdh_ecdsa_rc4_128_sha
  • security.ssl3.ecdh_rsa_rc4_128_sha
  • security.ssl3.ecdhe_ecdsa_rc4_128_sha
  • security.ssl3.ecdhe_rsa_rc4_128_sha
  • security.ssl3.rsa_rc4_128_md5
  • security.ssl3.rsa_rc4_128_sha

You can try to find one server to test:

$ echo Q | openssl s_client -connect <SERVER>:443 | grep "Cipher"
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0
DONE
New, TLSv1/SSLv3, Cipher is RC4-SHA
    Cipher    : RC4-SHA

If no cipher options is available to be used, then you will get this typical error when you connect to a RC4-only website in Firefox:

The connection was reset

The connection to the server was reset while the page was loading.

3   Disabling in Chrome

As for Chrome, current 31.0.1650.57:stable, you will need to launch with:

--cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007

in order to disable the following four ciphers:

Spec Cipher Suite Name Key Size Description
(00,04) RSA-RC4128-MD5 128 Bit Key exchange: RSA, encryption: RC4, MAC: MD5.
(00,05) RSA-RC4128-SHA 128 Bit Key exchange: RSA, encryption: RC4, MAC: SHA1.
(c0,07) ECDHE-ECDSA-RC4 128-SHA 128 Bit Key exchange: ECDH, encryption: RC4, MAC: SHA1.
(c0,11) ECDHE-RSA-RC4128-SHA 128 Bit Key exchange: ECDH, encryption: RC4, MAC: SHA1.