Author: HollyGraceful Published: 21 October 2022 Last Updated: 03 November 2022
An attack against RC4 was demonstrated in 2015. This attack affects the use of RC4 in several protocols, including within Transport Layer Security (TLS) used by web browsers and web applications but also within WPA-TKIP used by wireless networks. This weakness in RC4 when applied to TLS can allow an attacker to decrypt a small amount of repeated content, such as a session token or other sensitive cookie values.
As this attack utilises two statistical biases in the RC4 algorithm (Fluhrer-McGrew biases and ABSAB biases) the only effective way to fully mitigate this vulnerability is to disable the use of RC4.
It is recommended that:
- All RC4 cipher suites are disabled