After everybody said not to use RC4 any more, Google finally enabled one additional cipher on Google video servers: TLS_RSA_WITH_AES_128_GCM_SHA256.Unfortunately, this cipher is not supported either by Firefox 30 nor by Internet Explorer on Windows 8.1 or earlier.

Users of Firefox will have to wait for the bug 1029179 to be fixed.

This cipher is though supported by Google Chrome and Chromium, so if you’re a user of those browsers, you can finally disable RC4 for everyday browsing. You can do it either by creating a wrapper script, or modifying the shortcut you use to run those browsers to have one additional option:

chrome --cipher-suite-blacklist=0x0003,0x0004,0x0005,0x0017,0x0018,0x0020,0x0024,0x0028,0x002B,0x0066,0x008A,0x008E,0x0092,0xC002,0xC007,0xC00C,0xC011,0xC016,0xC033

This will disable following cipher suites:

• 0x0003 – TLS_RSA_EXPORT_WITH_RC4_40_MD5
• 0x0004 – TLS_RSA_WITH_RC4_128_MD5
• 0x0005 – TLS_RSA_WITH_RC4_128_SHA
• 0x0017 – TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
• 0x0018 – TLS_DH_anon_WITH_RC4_128_MD5
• 0x0020 – TLS_KRB5_WITH_RC4_128_SHA
• 0x0024 – TLS_KRB5_WITH_RC4_128_MD5
• 0x0028 – TLS_KRB5_EXPORT_WITH_RC4_40_SHA
• 0x002B – TLS_KRB5_EXPORT_WITH_RC4_40_MD5
• 0x0066 – SSL_DHE_DSS_WITH_RC4_128_SHA
• 0x008A – TLS_PSK_WITH_RC4_128_SHA
• 0x008E – TLS_DHE_PSK_WITH_RC4_128_SHA
• 0x0092 – TLS_RSA_PSK_WITH_RC4_128_SHA
• 0xC002 – TLS_ECDH_ECDSA_WITH_RC4_128_SHA
• 0xC007 – TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
• 0xC00C – TLS_ECDH_RSA_WITH_RC4_128_SHA
• 0xC011 – TLS_ECDHE_RSA_WITH_RC4_128_SHA
• 0xC016 – TLS_ECDH_anon_WITH_RC4_128_SHA
• 0xC033 – TLS_ECDHE_PSK_WITH_RC4_128_SHA

While setting all of them is not necessary, as some of them are not supported by the currently used NSS, it may change in the future, so… better safe then sorry.

After starting browser with this new settings, head over to a test site run by Leibniz University Hannover, or the other one run by Qualys and double check if no RC4 ciphers are offered by your browser.