Re: Fedora crypto policy vs the real world Was: available crypto policies

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

----- Original Message -----
> From: "Tomas Mraz" <tmraz@xxxxxxxxxx>
> To: "Eric H. Christensen" <sparks@xxxxxxxxxxxxxxxxx>
> Cc: "Hubert Kario" <hkario@xxxxxxxxxx>, security@xxxxxxxxxxxxxxxxxxxxxxx
> Sent: Tuesday, 6 May, 2014 10:24:38 AM
> Subject: Re: Fedora crypto policy vs the real world Was: available crypto policies
> 
> On Po, 2014-05-05 at 13:26 -0400, Eric H. Christensen wrote:
> > On Mon, May 05, 2014 at 01:20:17PM -0400, Hubert Kario wrote:
> > > ----- Original Message -----
> > > > From: "Eric H. Christensen" <sparks@xxxxxxxxxxxxxxxxx>
> > > > To: "Nikos Mavrogiannopoulos" <nmav@xxxxxxxxxx>
> > > > Cc: security@xxxxxxxxxxxxxxxxxxxxxxx
> > > > Sent: Monday, May 5, 2014 6:38:40 PM
> > > > Subject: Re: Fedora crypto policy vs the real world Was: available
> > > > crypto	policies
> > > >
> > > > upcoming
> > > > versions of Microsoft Windows 7 will also stop supporting RC4
> > > 
> > > That sounds nearly too good to be true. Source?
> > 
> > https://technet.microsoft.com/library/security/2868725?altTemplate=SecurityAdvisoryPF
> 
> Huh, but it actually does not disable RC4 support by default. The update
> just enables possibility to disable it through registry setting or API
> call.
> 
> "What does the 2868725 update do?
> The update supports the removal of RC4 as an available cipher on
> affected systems through registry settings. It also allows developers to
> remove RC4 in individual applications through the use of the
> SCH_USE_STRONG_CRYPTO flag in the SCHANNEL_CRED structure. These options
> are not enabled by default. Microsoft recommends that customers test any
> new settings for disabling RC4 prior to implementing them in their
> environments."
> 
> So no, Windows won't disable RC4 support by default.

nitpick: Windows 7 doesn't disable RC4 support by default. 
Windows 8 does disable RC4 by default:
http://blogs.msdn.com/b/ie/archive/2013/11/12/ie11-automatically-makes-over-40-of-the-web-more-secure-while-making-sure-sites-continue-to-work.aspx

-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: hkario@xxxxxxxxxx
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux