RC4 has been mathematically weak for quite a while and places like SSL Labs have discouraged its use, but the the IETF is now finishing up its final draft for killing the thing off. http://www.theregister.co.uk/2014/12/01/ietf_takes_rifle_off_wall_targets_rc4/ Lots of people switched over to it in the wake of the BEAST attacks, but that has since been mitigated client-side. Most everything hitting your systems these days should be able to handle an AES cipher and I would recommend using them instead and dropping RC4. The only common things that can't support AES is XP running IE. If you are worried about people on that platform, either have them switch to an alternate browser or run 3DES on the servers instead of RC4 (its still secure-ish, for the moment). Server 2003 can be patched to support AES http://support.microsoft.com/kb/948963