18

Recently I started to live without RC4 within my Firefox session. Discussion about it can be found here. While it is quite easy in Firefox (Enter about:config and then rc4), I found no possibility to do this in Chromium. So is it possible to disable or remove RC4 in Chromium or also Google Chrome?

qbi
  • 1,611
  • 2
  • 14
  • 27
  • 4
    I wouldn't get to bent out of shape about RC4, Just as I would recommend against getting alarmed about BEAST. There aren't any **remotely practical** security implications of either at the moment. – tylerl Jul 06 '13 at 01:45

4 Answers4

17

After several hours trying to figure out how to do that in Google Chrome I've found it! You must add the following command line parameters in the shortcut:

--cipher-suite-blacklist=0x0005,0x0004

The tricky part is that Google has not translated cipher strings so you must input each cipher in hex based on RFC 2246:

0x0004 = TLS_RSA_WITH_RC4_128_MD5

0x0005 = TLS_RSA_WITH_RC4_128_SHA
Andrew Lott
  • 177
  • 1
  • 14
Rafael Koike
  • 186
  • 2
  • 4
    You also need to disable the ciphers from [RFC4346](http://www.ietf.org/rfc/rfc4346.txt) if you're using TLS 1.1. Here is the list of ciphers I'm using to disable CBC: --cipher-suite-blacklist=0x000B,0x000C,0x000D,0x0011,0x0012,0x0013,0x002F,0x0030,0x0031,0x0032,0x0033,0x0034,0x0035,0x0036,0x0037,0x0038,0x0039,0x003A – Alex Lauerman Sep 11 '13 at 14:41
  • @AlexLauerman Your option string does not work for me. I think that I understand what you did and also think that this should be correct, but for me to disable the RC4 cipher on google.com I need to use `chromium-browser --cipher-suite-blacklist=0x0004,0x0005,0xc011` instead. Notice the `c` in `0xc011`. Your option string does *not* disable RC4 on google.com for *me*. I found the working solution @ http://superuser.com/questions/616996/what-is-the-correct-cipher-name-for-rc4-in-chrome/618221#comment837447_618221, but do not yet understand the last entry and wait for a reply to my comment. – king_julien Oct 21 '13 at 15:53
  • @king_julien My list of ciphers was to disable CBC, not RC4, sorry for not being more clear on that since it goes against this thread. It was posted as a reference since I haven't disabled RC4, but I was pointing out that I don't think user27136's list will work in all scenarios if the are using RC4 ciphers from >TLS1.0, and I wanted to provide more info, but then again you dont have to disable all ciphers, just all the ones that are preferred over what you want it to not use. I only disabled CBC for testing by the way. – Alex Lauerman Nov 04 '13 at 03:28
  • @AlexLauerman Oh, I see now - I shouldn't read so fast the next time :/ Thanks for the clarification – king_julien Nov 04 '13 at 10:41
8

TL;DR

You need to use the following parameter to block all RC4 ciphers (as of Chrome 31 in Ubuntu 12.04 with NSS 3.15)

--cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007

In Google Chrome on Ubuntu you have to edit the file /usr/share/applications/google-chrome.desktop and add the parameter to each line that starts with Exec=/usr/bin/google-chrome-stable. There should be three overall.

Exec=/usr/bin/google-chrome-stable --cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007

General Answer to figure it out yourself

The regularly updated list of all ciphers by IANA is already very helpful in determining which ciphers to block, but you might end up blocking more ciphers than your browser actually supports. There is an easier way to first check what ciphers your browser supports and get their hexadecimal values.

Both are provided directly in your browser by visiting the following website of the Leibniz University of Hannover:

For example: In the picture below, the cipher indentifiers on are on the left side of the table. So, if I wanted to block the two ciphers RSA-AES-128-GCM-SHA256 and RSA-AES256-SHA I would look for (00,9c) and (00,35).

For Google Chrome this means that I have to add the parameter:

--cipher-suite-blacklist=0x009c,0x0035 

enter image description here

king_julien
  • 181
  • 1
  • 6
  • How I would do this by blocking ECDHE-RSA-AES128-GCM-SHA256. I seems that /usr/bin/google-chrome-stable --cipher-suite-blacklist=0xc02f doesn't work. – likern Nov 09 '16 at 14:06
7

Google Chrome Version 28.0.1500.95

chrome.exe --cipher-suite-blacklist=0xc007,0xc011,0x0066,0xc00c,0xc002,0x0005,0x0004

0xc007 = ECDHE-ECDSA-RC4128-SHA
0xc011 = ECDHE-RSA-RC4128-SHA
0x0066 = DHE_DSS_WITH_RC4_128_SHA
0xc00c = ECDH_RSA_WITH_RC4_128_SHA
0xc002 = RSA-RC4128-SHA
0x0005 = RSA-RC4128-SHA
0x0004 = RSA-RC4128-MD5

Source list of cipher names matching to spec:
[https://code.google.com/p/chromium/issues/detail?id=58833][1]

Website to check settings:
[https://cc.dcsec.uni-hannover.de/][2]
nobird
  • 3
  • 1
nobird
  • 91
  • 1
  • 1
  • This seems to blacklist much more than just RC4. Also, since you posted two answers, I deleted your other one. Please make edits instead of multiple posts. – Jeff Ferland Sep 30 '13 at 15:33
  • 1
    This answer works great! I'm especially happy about the link "source list of cipher names..." because the descriptions from [www.ietf.org](http://www.ietf.org/rfc/rfc4346.txt) weren't that clear to me and therefore I do not understand where the options with `c` come from, i.e. I would have added `0x0011` instead of `0xc011`. But `0x0011` does not work. – king_julien Oct 21 '13 at 16:28
3

If I understand this issue tracking thread, support for disabling some cipher suites in SSL/TLS has been at least partially implemented, but there is no corresponding user interface. It seems to be feasible through command-line arguments (I have not tried). Also, the exact method may change depending on the operating system, since Chrome tends to reuse the functionalities offered by the OS with regards to SSL (contrary to Firefox, which, out of tradition, has always done everything itself).

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955