Disabling RC4 in CA Payment Security SaaS

Document created by Mahinder Chawla Employee on May 11, 2016
Version 1Show Document
  • View in full screen mode

 

  RC4 has long been the preferred stream cipher and is used in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols of HTTPS to protect sensitive web traffic from man in the middle attacks.

  There were a number of weaknesses reported in this cipher over the years that needed large resources to exploit the cipher. Recently, however, the new vulnerabilities found in RC4 renders it practical for a determined hacker to decrypt information protected by this cipher. As a result, IEEE1 in its RFC7465 published last year prohibits use of this cipher in TLS; as a follow on, earlier this month OWASP2 updated it's guidelines to not use this cipher.

  In line with Industry recommendations, CA will be turning off this cipher in production for all its internet facing production instances by the end of August 2016. As of this month, we collected following statistics from web browser usage3

                      

2016

Chrome

IE

Firefox

Safari

Opera

March

69.9 %

6.1 %

17.8 %

3.6 %

1.3 %

February

69.0 %

6.2 %

18.6 %

3.7 %

1.3 %

January

68.4 %

6.2 %

18.8 %

3.7 %

1.4 %

 

Amongst this Chrome

                                          

2016

Total

C 51

C 50

C 49

C 48

C 47

C 46

C 45

C 44

Older

March

69.9%

0.3%

0.4%

32.4%

30.7%

2.1%

0.8%

0.5%

0.6%

2.1%

February

69.0%

 

0.7%

0.4%

58.8%

4.0%

1.0%

0.8%

0.6%

2.7%

January

68.4%

 

0.1%

0.7%

5.6%

55.2%

1.8%

0.9%

0.7%

3.4%

According to Chrome blog Release 48 onwards RC4 is disable.  6% Chrome browser users impacted by this change, representing 4.2% of overall browsers

Amongst IE browsers

2016

Total

Edge 13

Edge 12

IE 11

IE 10

IE 9

Older

March

6.1 %

1.0%

0.2 %

4.1 %

0.3 %

0.2 %

0.3 %

February

6.2 %

0.9%

0.2 %

4.1 %

0.4 %

0.3 %

0.3 %

January

6.2 %

0.8%

0.4 %

3.8 %

0.5 %

0.4 %

0.3 %

According to Microsoft  IE11 onwards will work with RC4 disabled. This would put 0.8% IE users or 0.05% overall browsers impacted

Firefox                                              

2016

Total

FF 47

FF 46

FF 45

FF 44

FF 43

FF 42

FF 41

FF 40

FF 39

Older

March

17.8%

0.1%

0.6%

5.2%

7.1%

1.0%

0.2%

0.3%

0.2%

0.2%

2.9%

February

18.6%

 

0.2%

0.8%

8.8%

4.6%

0.5%

0.3%

0.3%

0.4%

2.7%

January

18.8%

 

 

0.2%

1.4%

12.8%

0.9%

0.5%

0.3%

0.4%

2.3%

 

Based on Firefox blog FF37 onwards work with RC4 disabled. Potentially 3.9% browsers or 0.7% overall browsers impacted.

Safari and Opera were on the latest version leaving the number of browsers impacted by this change as negligible.  Overall today, the number of browsers impacted by this change would be about 4.95% (~5%)

Cardholders using older browsers will be displayed an error message by their browser indicating a SSL error communicating with our website, CA does not have any control over the message that the browsers display to the end user. Similarly, Administrators in our application, if they are using an older version of browser that does not function with RC4 disabled, will need to update their browser to a recent version.

This change is of particular importance to our partners that connect to sites hosted by CA via a daemon or service for various functions, we would urge them to test with RC4 disabled to ensure uninterrupted operation post this change.

CA has a community page for customers to ask and discuss any topics related to this issue, as always feel free to contact the CA Support team at by phone at 1-866-992-7268 (or your regional support contact) or submitting a request at support.arcot.com.

For information on how to use community page, kindly follow this link, a copy of this communique is at this link.

 

 

1RFC 7465 - Prohibiting RC4 Cipher Suites. (n.d.). Retrieved April 15, 2016, from https://tools.ietf.org/html/rfc7465

2Transport Layer Protection Cheat Sheet. (2016, April 04). Retrieved April 15, 2016, from https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Only_Support_Strong_Cryptographic_Ciphers

3Browser Information. (n.d.). Retrieved April 15, 2016, from http://www.w3schools.com/browsers/default.asp

 

 

Copyright © 2016 CA, Inc. All rights reserved.  All marks used herein may belong to their respective companies. This document does not contain any warranties and is provided for informational purposes only.

Attachments

    Outcomes