Skip to main content

Beta What do you think of this service? Your feedback will help us to improve it.

  5. SSL/TLS RC4 cipher suite enabled

Author: Government Digital Service

SSL/TLS RC4 cipher suite enabled

What this means

The RC4 cipher suite is a stream cipher used in SSL/TLS encryption that is known to have significant vulnerabilities.

If enabled, it allows use of this insecure cipher which can then be subject to attack.

Why this is a problem

RC4 has known weaknesses that allow attackers to predict parts of the encrypted data, leading to potential decryption.

Attacks such as BEAST and RC4 biases can exploit the weaknesses of RC4, compromising the confidentiality of encrypted communications.

RC4 is deprecated by most modern security standards, including PCI-DSS, due to its insecurity.

How to check if the problem is there

Check the webserver’s SSL/TLS configuration for use of the RC4 cipher suite.

There are a number of online tools such as Qualys SSL Labs which can be used to check what cipher suites and protocols are enabled on a website.

How to fix this

Remove support for the RC4 cipher suite in the webserver’s SSL/TLS configuration.

Ensure that strong cipher suites are preferred where possible.

Periodically test the server’s SSL/TLS configuration using automated tools to ensure compliance with security best practices.

Further information

A list of ciphers and protocols which provide strict security whilst maintaining good accessibility are published by Microsoft under the profile name of 20220101S.

Consider aligning your configuration to these recommendations which provide good security whilst ensuring good compatibility.

Sign up to UK Government Security

Subscribe to our newsletters to receive notifications when changes to strategy, policy, standards, and guidance are published on the website.

Sign up now