Wednesday, November 13, 2013

Deactivating the RC4 cipher in Firefox

This has probably been blogged, reblogged, and reblogged again. Anyway... The RC4 cipher is considered broken, however many https websites still use it as default and Firefox even displays these connections as "high grade encryption". What can you do? Disable RC4 in the Firefox configuration!
  1. Call up the configuration page by typing about:config in the address bar.
  2. Firefox may pop up a warning along the lines of "here ends your warranty". If it does that, confirm that you'll be careful. 
  3. On top of the page, above many config settings, there's now a search bar. Enter RC4
  4. As search result you see the various cipher combinations that use this encryption standard (6 lines here). Double-click on each of these 6 lines (e.g. security.ssl3.rsa_rc4_128_md5) to toggle them from "true" to "false". 
  5. That's it, you're done.
Note that if a web site ONLY supports RC4 then you'll end up with a connection error now. You probably shouldn't go there anyway though.

1 comment: