Recently I started to live without RC4 within my Firefox session. Discussion about it can be found here. While it is quite easy in Firefox (Enter about:config
and then rc4), I found no possibility to do this in Chromium. So is it possible to disable or remove RC4 in Chromium or also Google Chrome?
-
4I wouldn't get to bent out of shape about RC4, Just as I would recommend against getting alarmed about BEAST. There aren't any **remotely practical** security implications of either at the moment. – tylerl Jul 06 '13 at 01:45
4 Answers
After several hours trying to figure out how to do that in Google Chrome I've found it! You must add the following command line parameters in the shortcut:
--cipher-suite-blacklist=0x0005,0x0004
The tricky part is that Google has not translated cipher strings so you must input each cipher in hex based on RFC 2246:
0x0004 = TLS_RSA_WITH_RC4_128_MD5
0x0005 = TLS_RSA_WITH_RC4_128_SHA
- 177
- 1
- 14
- 186
- 2
-
4You also need to disable the ciphers from [RFC4346](http://www.ietf.org/rfc/rfc4346.txt) if you're using TLS 1.1. Here is the list of ciphers I'm using to disable CBC: --cipher-suite-blacklist=0x000B,0x000C,0x000D,0x0011,0x0012,0x0013,0x002F,0x0030,0x0031,0x0032,0x0033,0x0034,0x0035,0x0036,0x0037,0x0038,0x0039,0x003A – Alex Lauerman Sep 11 '13 at 14:41
-
@AlexLauerman Your option string does not work for me. I think that I understand what you did and also think that this should be correct, but for me to disable the RC4 cipher on google.com I need to use `chromium-browser --cipher-suite-blacklist=0x0004,0x0005,0xc011` instead. Notice the `c` in `0xc011`. Your option string does *not* disable RC4 on google.com for *me*. I found the working solution @ http://superuser.com/questions/616996/what-is-the-correct-cipher-name-for-rc4-in-chrome/618221#comment837447_618221, but do not yet understand the last entry and wait for a reply to my comment. – king_julien Oct 21 '13 at 15:53
-
@king_julien My list of ciphers was to disable CBC, not RC4, sorry for not being more clear on that since it goes against this thread. It was posted as a reference since I haven't disabled RC4, but I was pointing out that I don't think user27136's list will work in all scenarios if the are using RC4 ciphers from >TLS1.0, and I wanted to provide more info, but then again you dont have to disable all ciphers, just all the ones that are preferred over what you want it to not use. I only disabled CBC for testing by the way. – Alex Lauerman Nov 04 '13 at 03:28
-
@AlexLauerman Oh, I see now - I shouldn't read so fast the next time :/ Thanks for the clarification – king_julien Nov 04 '13 at 10:41
TL;DR
You need to use the following parameter to block all RC4 ciphers (as of Chrome 31 in Ubuntu 12.04 with NSS 3.15)
--cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007
In Google Chrome on Ubuntu you have to edit the file /usr/share/applications/google-chrome.desktop
and add the parameter to each line that starts with Exec=/usr/bin/google-chrome-stable
. There should be three overall.
Exec=/usr/bin/google-chrome-stable --cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007
General Answer to figure it out yourself
The regularly updated list of all ciphers by IANA is already very helpful in determining which ciphers to block, but you might end up blocking more ciphers than your browser actually supports. There is an easier way to first check what ciphers your browser supports and get their hexadecimal values.
Both are provided directly in your browser by visiting the following website of the Leibniz University of Hannover:
For example: In the picture below, the cipher indentifiers on are on the left side of the table. So, if I wanted to block the two ciphers RSA-AES-128-GCM-SHA256
and RSA-AES256-SHA
I would look for (00,9c)
and (00,35)
.
For Google Chrome this means that I have to add the parameter:
--cipher-suite-blacklist=0x009c,0x0035
- 181
- 1
- 6
-
How I would do this by blocking ECDHE-RSA-AES128-GCM-SHA256. I seems that /usr/bin/google-chrome-stable --cipher-suite-blacklist=0xc02f doesn't work. – likern Nov 09 '16 at 14:06
Google Chrome Version 28.0.1500.95
chrome.exe --cipher-suite-blacklist=0xc007,0xc011,0x0066,0xc00c,0xc002,0x0005,0x0004
0xc007 = ECDHE-ECDSA-RC4128-SHA
0xc011 = ECDHE-RSA-RC4128-SHA
0x0066 = DHE_DSS_WITH_RC4_128_SHA
0xc00c = ECDH_RSA_WITH_RC4_128_SHA
0xc002 = RSA-RC4128-SHA
0x0005 = RSA-RC4128-SHA
0x0004 = RSA-RC4128-MD5
Source list of cipher names matching to spec:
[https://code.google.com/p/chromium/issues/detail?id=58833][1]
Website to check settings:
[https://cc.dcsec.uni-hannover.de/][2]
-
This seems to blacklist much more than just RC4. Also, since you posted two answers, I deleted your other one. Please make edits instead of multiple posts. – Jeff Ferland Sep 30 '13 at 15:33
-
1This answer works great! I'm especially happy about the link "source list of cipher names..." because the descriptions from [www.ietf.org](http://www.ietf.org/rfc/rfc4346.txt) weren't that clear to me and therefore I do not understand where the options with `c` come from, i.e. I would have added `0x0011` instead of `0xc011`. But `0x0011` does not work. – king_julien Oct 21 '13 at 16:28
If I understand this issue tracking thread, support for disabling some cipher suites in SSL/TLS has been at least partially implemented, but there is no corresponding user interface. It seems to be feasible through command-line arguments (I have not tried). Also, the exact method may change depending on the operating system, since Chrome tends to reuse the functionalities offered by the OS with regards to SSL (contrary to Firefox, which, out of tradition, has always done everything itself).
- 322,884
- 58
- 787
- 955