Recently I started to live without RC4 within my Firefox session. Discussion about it can be found here. While it is quite easy in Firefox (Enter about:config and then rc4), I found no possibility to do this in Chromium. So is it possible to disable or remove RC4 in Chromium or also Google Chrome?
- 4I wouldn't get to bent out of shape about RC4, Just as I would recommend against getting alarmed about BEAST. There aren't any remotely practical security implications of either at the moment.tylerl– tylerl2013-07-06 01:45:06 +00:00Commented Jul 6, 2013 at 1:45
Add a comment |
4 Answers
After several hours trying to figure out how to do that in Google Chrome I've found it! You must add the following command line parameters in the shortcut:
--cipher-suite-blacklist=0x0005,0x0004 The tricky part is that Google has not translated cipher strings so you must input each cipher in hex based on RFC 2246:
0x0004 = TLS_RSA_WITH_RC4_128_MD5 0x0005 = TLS_RSA_WITH_RC4_128_SHA 
- 4You also need to disable the ciphers from RFC4346 if you're using TLS 1.1. Here is the list of ciphers I'm using to disable CBC: --cipher-suite-blacklist=0x000B,0x000C,0x000D,0x0011,0x0012,0x0013,0x002F,0x0030,0x0031,0x0032,0x0033,0x0034,0x0035,0x0036,0x0037,0x0038,0x0039,0x003AAlex Lauerman– Alex Lauerman2013-09-11 14:41:16 +00:00Commented Sep 11, 2013 at 14:41
- @AlexLauerman Your option string does not work for me. I think that I understand what you did and also think that this should be correct, but for me to disable the RC4 cipher on google.com I need to use
chromium-browser --cipher-suite-blacklist=0x0004,0x0005,0xc011instead. Notice thecin0xc011. Your option string does not disable RC4 on google.com for me. I found the working solution @ superuser.com/questions/616996/…, but do not yet understand the last entry and wait for a reply to my comment.king_julien– king_julien2013-10-21 15:53:19 +00:00Commented Oct 21, 2013 at 15:53 - @king_julien My list of ciphers was to disable CBC, not RC4, sorry for not being more clear on that since it goes against this thread. It was posted as a reference since I haven't disabled RC4, but I was pointing out that I don't think user27136's list will work in all scenarios if the are using RC4 ciphers from >TLS1.0, and I wanted to provide more info, but then again you dont have to disable all ciphers, just all the ones that are preferred over what you want it to not use. I only disabled CBC for testing by the way.Alex Lauerman– Alex Lauerman2013-11-04 03:28:36 +00:00Commented Nov 4, 2013 at 3:28
- @AlexLauerman Oh, I see now - I shouldn't read so fast the next time :/ Thanks for the clarificationking_julien– king_julien2013-11-04 10:41:25 +00:00Commented Nov 4, 2013 at 10:41
TL;DR
You need to use the following parameter to block all RC4 ciphers (as of Chrome 31 in Ubuntu 12.04 with NSS 3.15)
--cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007 In Google Chrome on Ubuntu you have to edit the file /usr/share/applications/google-chrome.desktop and add the parameter to each line that starts with Exec=/usr/bin/google-chrome-stable. There should be three overall.
Exec=/usr/bin/google-chrome-stable --cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007 General Answer to figure it out yourself
The regularly updated list of all ciphers by IANA is already very helpful in determining which ciphers to block, but you might end up blocking more ciphers than your browser actually supports. There is an easier way to first check what ciphers your browser supports and get their hexadecimal values.
Both are provided directly in your browser by visiting the following website of the Leibniz University of Hannover:
For example: In the picture below, the cipher indentifiers on are on the left side of the table. So, if I wanted to block the two ciphers RSA-AES-128-GCM-SHA256 and RSA-AES256-SHA I would look for (00,9c) and (00,35).
For Google Chrome this means that I have to add the parameter:
--cipher-suite-blacklist=0x009c,0x0035 
- How I would do this by blocking ECDHE-RSA-AES128-GCM-SHA256. I seems that /usr/bin/google-chrome-stable --cipher-suite-blacklist=0xc02f doesn't work.likern– likern2016-11-09 14:06:25 +00:00Commented Nov 9, 2016 at 14:06
Google Chrome Version 28.0.1500.95
chrome.exe --cipher-suite-blacklist=0xc007,0xc011,0x0066,0xc00c,0xc002,0x0005,0x0004
0xc007 = ECDHE-ECDSA-RC4128-SHA 0xc011 = ECDHE-RSA-RC4128-SHA 0x0066 = DHE_DSS_WITH_RC4_128_SHA 0xc00c = ECDH_RSA_WITH_RC4_128_SHA 0xc002 = RSA-RC4128-SHA 0x0005 = RSA-RC4128-SHA 0x0004 = RSA-RC4128-MD5 Source list of cipher names matching to spec: [https://code.google.com/p/chromium/issues/detail?id=58833][1] Website to check settings: [https://cc.dcsec.uni-hannover.de/][2] 
- This seems to blacklist much more than just RC4. Also, since you posted two answers, I deleted your other one. Please make edits instead of multiple posts.2013-09-30 15:33:43 +00:00Commented Sep 30, 2013 at 15:33
- 1This answer works great! I'm especially happy about the link "source list of cipher names..." because the descriptions from www.ietf.org weren't that clear to me and therefore I do not understand where the options with
ccome from, i.e. I would have added0x0011instead of0xc011. But0x0011does not work.king_julien– king_julien2013-10-21 16:28:23 +00:00Commented Oct 21, 2013 at 16:28
If I understand this issue tracking thread, support for disabling some cipher suites in SSL/TLS has been at least partially implemented, but there is no corresponding user interface. It seems to be feasible through command-line arguments (I have not tried). Also, the exact method may change depending on the operating system, since Chrome tends to reuse the functionalities offered by the OS with regards to SSL (contrary to Firefox, which, out of tradition, has always done everything itself).
