Microsoft Retires Vulnerable RC4 Cipher After Decades of Cybersecurity Threats

Microsoft has announced that it will finally be killing off the obsolete and vulnerable encryption cipher RC4, which has been supported by default in Windows for 26 years. The move comes after more than a decade of devastating hacks that exploited the cipher and recent criticism from a prominent US senator. RC4, short for Rivest Cipher 4, was a sole means of securing the Windows component Active Directory when it was rolled out in 2000, allowing administrators to configure and provision fellow administrator and user accounts inside large organizations. The decision to discontinue support for RC4 was made after a long-standing vulnerability in the cipher was repeatedly exploited by hackers. Despite being developed by mathematician and cryptographer Ron Rivest of RSA Security in 1987, RC4's security was significantly weakened within days of its leak in 1994. A researcher demonstrated a cryptographic attack that compromised the cipher's security, but it remained a staple in encryption protocols, including SSL and its successor TLS, until about a decade ago. Microsoft's decision to discontinue support for RC4 has been welcomed by security experts, who have long criticized the company for its continued use of the vulnerable cipher. "This is a long-overdue move," said a security expert, who wished to remain anonymous. "RC4 has been a liability for far too long, and it's a relief to see Microsoft finally taking steps to address the issue." The use of RC4 in Active Directory has been a major concern for large organizations, which rely on the component to manage their user accounts and access permissions. While Microsoft has not provided a specific timeline for the discontinuation of RC4, the company has promised to provide more information and support for administrators as they transition to more secure encryption protocols. In a statement, a Microsoft spokesperson said, "We are committed to providing the most secure and reliable solutions for our customers, and the discontinuation of RC4 is an important step in that direction. We will continue to work with our customers and partners to ensure a smooth transition to more secure encryption protocols." The discontinuation of RC4 marks a significant shift in the industry's approach to encryption, as companies increasingly prioritize security and data protection. As one security expert noted, "This move sets a precedent for other companies to follow, and it's a positive step towards a more secure future for online transactions and data exchange."