Schneier on Security: Microsoft Still Uses RC4

Sep 16, 2025

—

Source URL: https://www.schneier.com/blog/archives/2025/09/microsoft-still-uses-rc4.html
Source: Schneier on Security
Title: Microsoft Still Uses RC4

Feedly Summary: Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft over its continued use of the RC4 encryption algorithm. The letter talks about a hacker technique called Kerberoasting, that exploits the Kerberos authentication system.

AI Summary and Description: Yes

Summary: Senator Ron Wyden’s request for an FTC investigation into Microsoft’s use of the outdated RC4 encryption highlights concerns about encryption practices in the face of modern security threats, particularly in relation to the Kerberos protocol’s vulnerabilities such as Kerberoasting. This is highly relevant for professionals in cybersecurity, particularly those focused on encryption standards and authentication systems.

Detailed Description: The recent correspondence from Senator Ron Wyden regarding Microsoft’s utilization of the RC4 encryption algorithm raises significant concerns regarding current encryption practices and their implications for cybersecurity.

– **RC4 Encryption Algorithm**:
– Long considered insecure due to its vulnerabilities, especially given advancements in computational power and cryptographic analysis.
– Wyden’s call for investigation signals an urgency for tech companies to adopt stronger encryption measures.

– **Kerberoasting Technique**:
– A well-known attack that targets the Kerberos authentication protocol.
– It allows attackers to retrieve hashed passwords from service accounts by exploiting the way Kerberos handles ticket-granting.
– This technique emphasizes the importance of robust encryption in maintaining the integrity of authentication systems.

– **Regulatory Attention**:
– Direct involvement from lawmakers indicates increasing scrutiny on tech companies regarding their security practices.
– This aligns with broader trends in governance and compliance where regulations are tightening around cybersecurity measures.

For security professionals, these developments underline the importance of:
– Regular updates to encryption standards.
– Awareness of authentication vulnerabilities.
– Compliance with evolving regulations and ensuring that security practices are not just protective but also aligned with best practices and industry standards.

2 2025 4 5 a account Act advancement advancements AI Aker algorithm All allow analysis and anti Arch art as at ated attack attacker attackers authentication Authentication Protocol authentication system authentication systems aware awareness Best best practices Bi by C CERN CI CIA co Col companies compliance computation computational power concerns Crypto cryptographic Current cyber cybersecurit Cybersecurity cybersecurity measures D de development developments e encryption encryption algorithm encryption practices Encryption Standards end evolving regulations exp exploit exploits face Fed Federal Trade Commission focused for FTC g Gen Go governance Governance and Compliance graph H hack hacker hashed passwords high Highlight HR http HTTPS implications in industry industry standards integrity investigation io J Just k Kerberoasting Kerberos Kerberos authentication Kerberos authentication protocol l law led Li line long low M makers measures Micro Microsoft mission ML Mode Modern modern security N no o of on ons OPM opt ory oS out over passwords phi Power practices pro professionals protocol ps Q R Raise RCE re red regular updates Regulation regulations regulatory Regulatory Attention Ro RoT s schneier sec secure security security measure security measures security practices security professionals security threat security threats Senator Ron Wyden service service account Service Accounts side Sig Signal size sizes source standards STIG system systems T target tech tech companies ted the threat threats to Tor TP trade trends trie under up update updates US use uth utilization V vulnerabilities Ware Well Wi x z