Microsoft will kill obsolete cipher that has wreaked decades of havoc
3 days ago
- #Encryption
- #Microsoft
- #Cybersecurity
- Microsoft is discontinuing support for the RC4 encryption cipher in Windows after 26 years due to its vulnerabilities.
- RC4 was initially used in Active Directory since 2000 but has been known to be weak since 1994 when a cryptographic attack was demonstrated.
- Despite its known weaknesses, RC4 remained in use in encryption protocols like SSL and TLS until about a decade ago.
- Microsoft upgraded Active Directory to support AES but continued to default to RC4 for authentication requests, making it a target for hackers.
- The RC4 vulnerability was exploited in the 2023 breach of health giant Ascension, affecting 140 hospitals and 5.6 million patients.
- US Senator Ron Wyden criticized Microsoft for 'gross cybersecurity negligence' for continuing default RC4 support.
- Microsoft announced the deprecation of RC4, citing its role in Kerberoasting attacks, which were the root cause of the Ascension breach.