dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1422
share rss forum feed

HD5830Gamer

join:2012-08-14

PPTP question.

Can PPTP be secure as OpenVPN if a random 32 character password is used?

Such as &6483djbdd876y7867dsdhgdyuy

Or does PPTP leak the IP.

Reply thanks.



leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

The known security problems (note the plural here since there are many) with PPTP are independent of the quality of the used password. Most of the PPTP security issues center around user authentication and of all the supported authentication mechanism the only one that should still be used today is MSCHAPv2. All other authentication methods should be explicitly disabled on both VPN client and server.

PPTP can be used as a VPN tunnel without encryption. In that case not only endpoint IP addresses but the entire tunnel communication is leaking. Once again, it won't matter how good your password is if you allow PPTP client and server to establish an unencrypted tunnel.

Besides the authentication problems there are also issues with key discovery by a third party listening to encrypted PPTP traffic. Stateful encryption keeps using the same key for many packets which can reveal a sufficient number of bits of the key just from the IP headers alone to speed up brute force discovery of the actual key. Using 128-bit keys and stateless encryption helps because a new key is used for every single packet.

Statistical analysis of PPTP packets can reveal the nature (but not the exact contents) of the encrypted communication (this is not limited to PPTP but effects many other tunneling protocols too). This is done by looking at the packet sizes and their timing. In many cases it may not matter if a spy can tell that you are emailing, browsing the web or watching a movie as long as they don't know the contents of the email, website or video. However sometimes people need to hide even the nature of their Internet usage. Enabling PPTP compression has the double benefit of making such statistical analysis more difficult (but not impossible) it also makes it harder to discover key material from fields with known content in the IP header.

PPTP definitely has issues but used properly can still provide a reasonable level of security. It all depends on who you want to protect your communication from and how many resources that person or entity is willing to put at defeating your efforts. I would not trust PPTP or OpenVPN from causing much difficulty for a 3 letter government agency.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to HD5830Gamer

Thought this was already addressed in your older thread HD5830Gamer -- »PPTP vs L2PT vs OPENVPN for defeating Internet censorship..

Did you bother to read the article link I provided? Specifically

...the fundamental weakness of the authentication and encryption protocol is that it is only as secure as the password chosen by the user. As computers get faster and distributed attacks against password files become more feasible, the list of bad passwords-dictionary words, words with random capitalization, words with the addition of numbers, words with numbers replacing letters, reversed words, acronyms, words with the addition of punctuation-becomes larger...

Put another way, you got enough computing power, doesn't matter how long / complex you make the password,
you can just brute force the password.

Also this has nothing to do about "leaking the IP." Something to keep in mind is generally there's no way to
"hide" an IP as that fundamentally breaks the way the internet works, namely end-host-to-end-host connectivity.

Regards

HD5830Gamer

join:2012-08-14

I did read it. What i mean by "leaking the IP" is can PPTP leak the ISP's IP?

And far as OpenVPN or L2TP how much more secure are they?


HELLFIRE
Premium
join:2009-11-25
kudos:18

1 recommendation

reply to HD5830Gamer

said by HD5830Gamer:

I did read it. What i mean by "leaking the IP" is can PPTP leak the ISP's IP?

Not sure why you're so focused on the ISP's IP address here.

»courses.ischool.berkeley.edu/i15···ader.png is the basic structure of an IP packet.
Short answer, the source and destination IP address have to be visible (ie. "leaked"), but the data in each
packet could /should be encrypted by the VPN, or you can wrap this packet in another packet (think mailing
a letter inside an envelop inside a 2nd envelop ) that would prevent the inner packet's IP addresses / data
from being visible.

If you're so interested / concerned about security, you may want to do alittle reading into the fundamentals
of VPN theory and operation -- I personally recommend this title

said by HD5830Gamer:

And far as OpenVPN or L2TP how much more secure are they?

As opposed to what? If it's against PPTP, I'd choose OpenVPN or L2TP any day of the week and twice on saturdays
and sundays. It simply goes back to the fact that the encryption algorithm used in PPTP is simply too weak if you
have a requirement for high security. End of discussion.

Regards

HD5830Gamer

join:2012-08-14

What i mean is it possible for your real IP to leak through PPTP?

And may i ask. What VPN provider do you use? i would like to try it out.


HELLFIRE
Premium
join:2009-11-25
kudos:18

said by HD5830Gamer:

What i mean is it possible for your real IP to leak through PPTP?

Yes your real IP address can leak through ANY VPN, PPTP or otherwise. See my comment about end-host-to-end-host
connectivity.

Regards


leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

Whenever you are doing network communication you need a pair of addresses:
- the destination address to which your data should be delivered
- the source address from which you are sending the data (so that any response can be delivered back to you)
Network communication cannot work if you don't have those addresses and they must be visible to all along the network path so that the data can be routed to its destination.

When tunneling is used (regardless of the type) this increases to two pairs of addresses:
- the tunnel endpoint addresses (e.g.: vpn client to vpn server or tunnel gateway 1 to tunnel gateway 2)
- the actual source and destination addresses of the tunneled communication

The tunnel endpoint addresses are sometimes referred to as the outer or envelope addresses of tunneled network communication and they must be visible to all so that the tunnel can function properly. Since this is required functionality I don't consider this leaking an IP address but for somebody concerned about anonymity of their communication it is important to understand that this is taking place.

The actual source and destination addresses of the tunneled communication may be hidden through encryption however there are caveats:
- In many cases the tunnel endpoint address on the vpn client side is the same as the source address of the tunneled communication (the vpn client runs on the same computer that initiates the tunneled communication). Even when tunnel gateways are used the tunnel endpoint address may narrow down the possible sender to a small network (a particular residence or business). This means that even with an encrypted tunnel it is possible to identify at least the source network and possibly the specific computer.
- In some cases the actual source address may be included in the data of the communication (not just in the packet headers). While the actual packet arriving at the destination will have the source address rewritten to point to the tunnel endpoint (so that response data also goes through the same tunnel) the data inside the packet for some network protocols may still reveal the actual source address of the sender (e.g.: an attempt to perform active mode FTP). That would be IP address leaking but it may or may not be useful information (if it is a private network address behind a NAT gateway it is harmless from a privacy standpoint). This type of lP address leakage is independent from the tunnel type that is used.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!