killing RC4 in Chrome

Ted Smith tedks at
Thu Sep 18 08:10:55 PDT 2014

There's sort of a chicken/egg problem here. 

You can actually just disable them in configuration; in Firefox, you can
just go to about:config and set all the security.*.rc4* to false instead
of true. 

However, this breaks a *lot* of sites, including some big ones. 

On Thu, 2014-09-18 at 11:26 +0100, Cathal Garvey wrote:
> This is what occurred to me when I saw your first few mails on this
> subject; how hard is it to just comment out the stupid algos in the
> source for FF/Chrome, and just recompile? TLS negotiates available
> algos, so there's probably a list somewhere of which algos to send to
> the server; you could change nothing but that list and the algos would
> simply never be advertised, negotiated, or used?
> On 18/09/14 03:31, coderman wrote:
> >
> > 
> > <grittygrease> Are you planning on dropping RC4 support in Chrome anytime soon?
> > 
> > <sleevi_> Not until I can work with @mikewest to get our mixed content
> > detection improved and get @__apf__ on board for more sec-ui :)
> > 

Sent from Ubuntu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the cypherpunks mailing list