On Tue, 2014-05-06 at 06:41 -0400, Hubert Kario wrote:
> So no, Windows won't disable RC4 support by default.
nitpick: Windows 7 doesn't disable RC4 support by default.
Windows 8 does disable RC4 by default:
I don't think microsoft would be held as an example, but still they do
negotiate RC4, as they re-try connecting using RC4 if the first
handshake fails. From a security point of view, their change is useless,
as if I can attack RC4, I can simply make the first attempt to connect
fail, and attack the second that includes RC4.
Nevertheless, we cannot even do what they do (i.e., reconnect using RC4
as fallback). What we do is to set the bar to either allow RC4 or have a
failed connection, and thus force a plaintext session, that is worse