Re: OT: Microsoft does it again?!


"Mike Amling" <spamonly@xxxxxxxxxxx> wrote in message
news:en9271$2le@xxxxxxxxxxxxxxxxxxxxxxxxxx
John E. Hadstate wrote:


This has not been the case until very recently. Does
anyone have any clues about what's going on here?

Has that particular copy of Outlook 2000 ever used 3DES?
When I used it, Outlook 2000 as shipped would only use
exportable ciphers. There was some kind of upgrade that
you had to find, download, and install to get it to use
3DES. They don't make it easy.


Yes, one key point here is that I fully tested both Outlook
2000 and Outlook Express more than a year ago and both
correctly encrypted with 3DES. I believe the change
happened sometime in the last 6 (?) weeks, possibly as a
result of upgrading (?) to IE7 or perhaps as a result of one
of Microsoft's automatic updates.

Another key point is that Outlook silently ignores the 3DES
setting and switches the encryption to 40-bit RC2. This
seems completely irresponsible to me. Outlook Express at
least generates a warning dialog, but still switches the
encryption to 40-bit RC2.

Today I deleted all my certs and downloaded a complete new
set from Thawte. The results are unchanged.

A colleague at work using Outlook 2003, Windows XP/Pro and
DoD certs (on his CAC card) doesn't see the problem. He can
encrypt to me using 3DES. When I decrypt his messages, they
are reported at my end as 168-bit encryption. He can
decrypt my messages, but he sees them as encrypted with
40-bit RC2.

IE7's help window reports its cipher strength as 128-bit.
Connecting to a financial services site with https shows
another interesting development. If you clicked on the
Padlock Icon, IE6 used to report both the connection type
(SSL, TLS) and the encryption key strength. IE7 reports
neither.


.