Did some analysis on some servers that a partner of ours is hosting:

-TLS 1.0: Hmm this isn't great
-TLS_RSA_WITH_RC4_128_SHA preferred Cipher Suite for ALL TLS Versions.

I almost barfed at my desk.

I'm almost afraid to ask what the partner's product is.

Sounds like something I might have worked on. (We had good reasons, I promise.)

Oh shit. Someone is fucked.

@elcore Hardware crypto on an IoT device that can't be changed and only does RC4, but needed maintenance support for 5 years on the market.

The replacement device wasn't much better (no SHA2!) but it did AES-256.

@elcore believe me, I'd have changed a lot of things if I could, but the hardware was set and there was no changing it, and there was no way to implement anything better until we did a completely new version of the device, which was powerful enough to run Linux and a recent version of openssl.

Don't think we didn't complain. 😀