Microsoft has phased out all browser support for the older RC4 communications encryption standard as it is rarely in use and considered obsolete and insecure compared with new standards (like TLS 1.2 for example)

It might be thought that RC4, a stream cipher used in client-server communications that’s long been considered to be cryptographically insecure, was already gone from those browsers. Microsoft declared its intention to kill it off last year. In March of this year, Microsoft indicated that RC4 would go away on April 12. However, it later delayed that action in response to “customer feedback.”

This time Microsoft will pull the trigger on RC4. It’s happening via patch KB3151631, which is part of Microsoft’s security update MS16-095 in the August batch of bulletins, released today. The patch will disable RC “for Microsoft Edge and Internet Explorer users on Windows 7, Windows 8.1 and Windows 10,” Microsoft indicated in its announcement today.

Not many browsers currently use RC4. The Trustworthy Internet Movement’s SSL Pulse page showed just 6.5 percent of modern browsers used RC4 this month. Microsoft described RC4 use as “small and shrinking” in its announcement.  Microsoft is following the lead of Google and Mozilla by getting rid of RC4 because the cipher can be broken in hours via man-in-the-middle session hijacking attacks. Typically attackers trick browsers into using the insecure RC4 cipher to carry out the attacks. The Internet Engineering Task Force has stated that RC4 should be prohibited from use with client and server Transport Layer Security (TLS) connections.

Microsoft recommends that organizations enable Transport Layer Security 1.2 in their services and stop using RC4. Ciphers supported by various Windows versions are described at this page.