Microsoft Is Finally Killing RC4
After twenty-six years, Microsoft is finally upgrading the last remaining instance of the encryption algorithm RC4 in Windows.
of the most visible holdouts in supporting RC4 has been Microsoft. Eventually, Microsoft upgraded Active Directory to support the much more secure AES encryption standard. But by default, Windows servers have continued to respond to RC4-based authentication requests and return an RC4-based response. The RC4 fallback has been a favorite weakness hackers have exploited to compromise enterprise networks. Use of RC4 played a key role in last year’s breach of health giant Ascension. The breach caused life-threatening disruptions at 140 hospitals and put the medical records of 5.6 million patients into the hands of the attackers. US Senator Ron Wyden (D-Ore.) in September called on the Federal Trade Commission to investigate Microsoft for “gross cybersecurity negligence,” citing the continued default support for RC4.
Last week, Microsoft said it was finally deprecating RC4 and cited its susceptibility to Kerberoasting, the form of attack, known since 2014, that was the root cause of the initial intrusion into Ascension’s network.
Fun fact: RC4 was a trade secret until I published the algorithm in the second edition of Applied Cryptography in 1995.
Subscribe to comments on this entry
Ray Dillinger • December 22, 2025 1:45 PM
Finally. My condolences for the lasting pain of seeing your flawed work used by people to the point of damaging themselves and others. I am glad you have finally been relieved of this burden.
And yeah, it’s a burden. I’ve made some outright mistakes too, or failed to anticipate user assumptions and likely but mistaken uses. The repercussions and damage from some of them are still playing out decades later.
But we can only do our best. Whatever 20/20 hindsight we may apply later we act or create only on the basis of what we understand in the moment. We exercise restraint only on the basis of the consequences we can anticipate in the moment. Failure to act for fear that we might be making a mistake would prevent us from doing anything at all, including all the good we can do.
And failure to try to help would be worse, IMO, than trying and falling short.
So try not to be bitter about it. On bad-brain days, I’m kind of bitter about a few of mine. I know I should try not to be. I know it’s a symptom of having a bad-brain day. But it still happens.