CVE-2015-2808 : Bar Mitzvah Attack in RC4

A critical vulnerability is discovered in Rivest Cipher 4 software stream cipher. In cryptography, RC4 is one of the most used software-based stream ciphers in the world. The cipher is included in popular Internet protocols such as Transport Layer Security (TLS).

It is a very simple cipher when compared to competing algorithms of the same strength and boasts one of the fastest speeds of the same family of algorithms. It is estimated to protect as much as 30% of SSL traffic. Though it is the most popular binary additive stream cipher, it suffers a long known (a 13-year-old vulnerability!!!) weakness known as Invariance Weakness.

From Mitre : “The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the “Bar Mitzvah” issue.”

As we told in the above RC4 cipher is used in TLS protocols, which means all Clients and Servers with RC4 cipher enabled are vulnerable.


How to check if RC4 is enabled in web browser ?

Click here to check SSL cipher suite details of your browser, which will list RC4 in the cipher suite list if RC4 is enabled in your browser as show in the below picture.

RC4 Cipher
RC4 Cipher is enabled!!


How to check if RC4 is enabled in web server ?

    1. Run the following openssl command (testing server is

openssl s_client -cipher RC4 -connect

    1. Output of the above command:


Case 1

      • : If RC4 is enabled in, command should produce something like
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Cipher    : ECDHE-RSA-RC4-SHA

Case 2

      • : If RC4 is disabled in, command should produce something like
140355035514528:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:770:

How to disable RC4?

    1. In Web Browsers:

Google Chrome and Opera:

    To disable RC4 cipher in Google chrome and Opera you will have to start those applications with the following parameters:

Mozilla Firefox:

      • Open configuration page by typing about:config in the address bar of Mozilla Firefox.
      • Enter RC4 in ‘Search’ bar.
      • As search result you see the various cipher combinations that use this encryption standard. Double-click on each lines to toggle them from “true” to “false”.
RC4 Cipher in Mozilla Firefox
RC4 Cipher in Mozilla Firefox

Internet Explorer:

      • The RC4 cipher can be completely disabled on Windows platforms by setting the


      • (REG_DWORD) entry to value


      • in the following registry locations:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128


    1. In Web Servers:


    • You need to have


    • in


    line of your configuration file.

Microsoft Internet Information Server:

    • The procedure for disabling RC4 in Internet information server is the same as disabling RC4 in Internet Explorer as discussed



Update your conf/jboss-service.xml to disable RC4 cipher. You have to remove RC4 cipher from cipher suite list

<Connector port="8443" address="${jboss.bind.address}"
maxThreads="150" strategy="ms" maxHttpHeaderSize="8192"
scheme="https" secure="true" clientAuth="false"
sslProtocol = "TLS"

We strongly suggest configuring your web server and browser as shown above.

SecPod Saner detects these vulnerabilities. Download Saner now and keep your systems updated and secure.

– Kumarswamy S

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 votes
Article Rating
Notify of
Newest Most Voted
Inline Feedbacks
View all comments
Desert Safari Deals

Hi there to every one, the contents present at this site
are actually remarkable for people knowledge, well, keep up the good work fellows.