On Tue, 2014-05-06 at 06:41 -0400, Hubert Kario wrote: > > So no, Windows won't disable RC4 support by default. > nitpick: Windows 7 doesn't disable RC4 support by default. > Windows 8 does disable RC4 by default: > http://blogs.msdn.com/b/ie/archive/2013/11/12/ie11-automatically-makes-over-40-of-the-web-more-secure-while-making-sure-sites-continue-to-work.aspx I don't think microsoft would be held as an example, but still they do negotiate RC4, as they re-try connecting using RC4 if the first handshake fails. From a security point of view, their change is useless, as if I can attack RC4, I can simply make the first attempt to connect fail, and attack the second that includes RC4. Nevertheless, we cannot even do what they do (i.e., reconnect using RC4 as fallback). What we do is to set the bar to either allow RC4 or have a failed connection, and thus force a plaintext session, that is worse than RC4. regards, Nikos -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
