1. Support Center
  2. SSL / TLS Vulnerabilities
  3. Specific certificate vulnerabilities

How to Disable SSL RC4

The server supports RC4 (Rivest Cipher 4), a cipher stream that is considered insecure due to multiple known vulnerabilities.

Security Assessment



Vulnerability Information

The server supports RC4 (Rivest Cipher 4), a cipher stream that is considered.

RC4 is an abbreviation of Rivest Cipher 4. It’s sometimes referred to as ARC4 or ARCFOUR as well. When combined with a plaintext file, it can be used for encryption with the Exclusive Or (X-OR) operation.

RC4 is a stream cipher that was created by Ron Rivest for the network security company RSA Security back in 1987. That’s why it has also become known as ‘Ron’s Code.’

Stream ciphers work byte by byte on a data stream. RC4, in particular, is a variable key-size stream cipher using 64-bit and 128-bit sizes. The cipher uses a permutation and two 8-bit index-pointers to generate the keystream. The permutation itself is done with the Key Scheduling Algorithm (KSA) that then is entered into a Pseudorandom Generation Algorithm (PRG), which generates a bitstream. 

The pseudorandom stream that the RC4 generates is as long as the plaintext stream. Then through the Exclusive Or (X-OR) operation, the stream and the plaintext generate the ciphertext. Unlike stream ciphers, block ciphers separate plaintext into different blocks. Then it attaches to the blocks the plaintext and performs encryption on the blocks. 

What does the encryption procedure look like for RC4? First, the user enters a plaintext file and an encryption key. Then, the RC4 encryption engine generates keystream bytes with the help of the Key Scheduling Algorithm and the Pseudo-Random Generation Algorithm. The X-OR operation is executed byte-by-byte, and the byte output is the encrypted text, which the receiver gets. They can access the plaintext stream once they decrypt it through a byte-by-byte X-OR process. 


Please choose only cipher suites with robust encryption algorithms. For guides, refer to the following wiki article: Secure TLS Configuration.

For more information about Crashtest Security, visit crashtest-security.com.