I'm by no means a crypto expert. Still I'm frequently getting (and answering) questions regarding the use of RC4 in SSL/TLS. Should you disable it? Or keep it enabled?
March 2015 update - A 'new' attack method (Bar Mitsvah Attack) using a previously known RC4 vulnerability was presented, thereby reducing the RC4 security even more.
February 2015 update - RFC 7456 has been published, which effectively prohibits the use of RC4 in TLS.
This document requires that Transport Layer Security (TLS) clientsand servers never negotiate the use of RC4 cipher suites when theyestablish connections. This applies to all TLS versions.
Here is my reasoning to disable all ciphersuites using RC4:
- RC4 is a stream cipher that has been around since 1987. The number and quality of attacks on RC4 (in SSL/TLS) increases. Fact: Attacks on encryption algorithms only get better, they never get worse.
- A lot of sites still enable RC4 in their ciphers, to support a wide browser base. Fact: Even Internet Explorer on Windows XP supports DES-CBC3-SHA (an alternative to one of the RC4 ciphers)
- RC4 is one of the few ciphers that is resistant to the BEAST attack Fact: BEAST is a client-side attack, announced in 2011. Since then, almost all clients (openssl, NSS, SChannel) have mitigations implemented. BEAST can also be mitigated by using TLS 1.1 and TLS 1.2
- A lot of companies can only use Federal Information Processing Standard FIPS PUB 140-2 approved algorithms. Fact: RC4 is not a FIPS-approved algorithm
What do the crypto experts say ?
- Bruce Schneier: Move away from RC4 to something like AES (March 2013)
- Jacob Appelbaum: RC4 is broken in realtime by the NSA. Stop using it (November 2013)
- Microsoft: Disable RC4 (November 2013)
Some form of encryption is always better than no encryption - however you don't want to give visitors of your site a false sense of security. Currently there are better cipher alternatives to RC4.