Qualys Blog

www.qualys.com
Ivan Ristic

New Penalty for RC4-Only Servers in October 2015

In October 2015, SSL Labs will start to fail (F) RC4-only servers. This change is a replacement for the second phase of our RC4 deprecation plan, which we announced in May 2015. We are adjusting our approach to avoid creating grading loopholes. (You can find out more about that here.)

The RC4 cipher is insecure and must be phased out. The IETF published RFC 7465 in February 2015 to formally deprecate RC4. In September 2015, Google, Microsoft and Mozilla announced that they will be removing RC4 from their browsers in early 2016. As a result of that change, RC4-only web sites will stop functioning in modern browsers. Our grading update will thus not only indicate the problems with RC4, but serve as an early warning system to help organisations migrate to better security in time.

Leave a Reply