Monday, June 28, 2010

Outlook 2010 weak email encryption


For unknown reason Microsoft has changed the behavior of Outlook 2010 on the encryption method. If there is no SMIME capabilities attribute in the user certificate Outlook will use an RC2 40bit encryption without any warning to the sender or recipient.
In Outlook 2003 and 2007 the fallback encryption mechanism is 3DES 168bit, on 2002 (XP) was it also RC2 40bit.