dslreports logo
    All Forums Hot Topics Gallery


how-to block ads

Search Topic:
share rss forum feed

Sunnyvale, CA
reply to HD5830Gamer

Re: PPTP question.

The known security problems (note the plural here since there are many) with PPTP are independent of the quality of the used password. Most of the PPTP security issues center around user authentication and of all the supported authentication mechanism the only one that should still be used today is MSCHAPv2. All other authentication methods should be explicitly disabled on both VPN client and server.

PPTP can be used as a VPN tunnel without encryption. In that case not only endpoint IP addresses but the entire tunnel communication is leaking. Once again, it won't matter how good your password is if you allow PPTP client and server to establish an unencrypted tunnel.

Besides the authentication problems there are also issues with key discovery by a third party listening to encrypted PPTP traffic. Stateful encryption keeps using the same key for many packets which can reveal a sufficient number of bits of the key just from the IP headers alone to speed up brute force discovery of the actual key. Using 128-bit keys and stateless encryption helps because a new key is used for every single packet.

Statistical analysis of PPTP packets can reveal the nature (but not the exact contents) of the encrypted communication (this is not limited to PPTP but effects many other tunneling protocols too). This is done by looking at the packet sizes and their timing. In many cases it may not matter if a spy can tell that you are emailing, browsing the web or watching a movie as long as they don't know the contents of the email, website or video. However sometimes people need to hide even the nature of their Internet usage. Enabling PPTP compression has the double benefit of making such statistical analysis more difficult (but not impossible) it also makes it harder to discover key material from fields with known content in the IP header.

PPTP definitely has issues but used properly can still provide a reasonable level of security. It all depends on who you want to protect your communication from and how many resources that person or entity is willing to put at defeating your efforts. I would not trust PPTP or OpenVPN from causing much difficulty for a 3 letter government agency.
Got some spare cpu cycles ? Join Team Helix or Team Starfire!