PPTP is broken: the oldest "secret" in the industry

Encouraging best practices in the VPN industry via independent, community-certified verification of clean installers and clean basic service operations. Let's reward the good, and make the bad a little bit less tempting 〰 github repo#cleanVPN
User avatar
Posts: 57
Joined: Tue Jan 01, 2013 5:43 pm

PPTP is broken: the oldest "secret" in the industry

Post by cryptostorm_admin » Mon Jan 14, 2013 12:51 pm

Thirteen years ago, two security researchers showed that the proprietary PPTP VPN protocol was broken. Badly broken. It's still broken today.

Despite that, the first consumer-focussed VPN service - Relakks - launched with PPTP as the only VPN protocol available. Why? Simple - because it's simple. PPTP is built into Windows operating systems, because Microsoft was one of the core developers of this proprietary, non-open protocol. So a company offering VPN service doesn't have to make a new "client" application for Windows folks (and PPTP is nowadays baked into most all OS flavours, unfortunately); they can just use the existing interface at the customer OS level. So that saves work, and complexity, and makes it easy to launch a "VPN service" with next to zero technical skills or understanding.

Unfortunately, it also means that trusting customers are counting on a protocol to protect them - PPTP - that is deeply flawed. But that's how the VPN industry evolved.

To this day, many "VPN companies" continue to offer PPTP-based connections, despite the fact that - literally - a kid with an old Playstation console can brute-force the cryptographic primitives with 100% success in a matter of hours. That's because last year, even more bad news for PPTP came out: not only is the protocol broken, but now passwords used to protect it can be systematically cracked open, 100% of the time, in a few hours' time. With off the shelf tools, and not much heavy tech skills either (use of a packet sniffer and a few other such capabilities). As Bruce Schneier summarizes:
Some things never change. Thirteen years ago, Mudge and I published a paper breaking Microsoft's PPTP protocol and the MS-CHAP authentication system. I haven't been paying attention, but I presume it's been fixed and improved over the years. Well, it's been broken again.
He goes on to quote the researchers who operationalized this new attack:
ChapCrack can take captured network traffic that contains a MS-CHAPv2 network handshake (PPTP VPN or WPA2 Enterprise handshake) and reduce the handshake's security to a single DES (Data Encryption Standard) key.

This DES key can then be submitted to CloudCracker.com -- a commercial online password cracking service that runs on a special FPGA cracking box developed by David Hulton of Pico Computing -- where it will be decrypted in under a day.

The CloudCracker output can then be used with ChapCrack to decrypt an entire session captured with WireShark or other similar network sniffing tools.
Schneier is a pretty heavy hitter in the field of security research. He wrote the book, in fact. Literally - he authored Applied Cryptography, and his literary output since then has been both technically robust and widely appreciated beyond the confines of the tech ghetto. Schneier is... Schneier. To security insiders, he's one of the few people in the industry who speaks and we all listen. Always. He's not always right - but he's always well-considered and pragmatic in his analytic approach. These are super rare characteristics in this field. Schneier is a step above.

So when Schneier calls out a protocol - PPTP - as "badly broken" - over the span of more than a decade, that's not background noise. It's core knowledge. PPTP can be categorized, in Schneier's phrase, as "security theater" - it makes people feel like it is making them safer... but in fact it's not, and in giving a false sense of security, it leaves us worse off than nothing at all.

Seriously, PPTP is not a viable security tool. It might be good enough to keep the MPAA off your ass for sharing that Justin Beiber tune, but that's about it. And it might not even do that, if the MPAA goons decide they'll invest a few hours in unzipping all your "encrypted" packets on a whim. Like hiding inside a transparent building, putting your data inside PPTP is at best ignorant and at worst delusional.

PPTP isn't worth it's salt, and hasn't been for many years.
cryptostorm_admin - a mostly-shared, admin team forum account (sort of a person, but also shared)
PLEASE DON'T SEND PRIVATE MESSAGES to this account, as we can't guarantee quick replies!
--> feel free to use any of our other contact channels, or post in the support forum
cryptostorm: structurally anonymous, token-based, unlimited ☂ bandwidth, opensource, darknet data security for everyone!
keybase.io validatorsonename.io validatorsPGP key @ MITnetwork statuscryptostorm github
support team bitmessage address: BM-NBjJaLNBwWiwZeQF5BMLYqarawbgycwJ
support team email: support@cryptostorm.is
live chat support: #cryptostorm

User avatar
Posts: 75
Joined: Mon May 05, 2014 2:44 am

Re: PPTP is broken: the oldest "secret" in the industry

Post by jlg » Tue Oct 28, 2014 10:39 am

Not really a secret has been known for some time now :-P

Only plebs who throw their money into the hype bandwaggon think PPTP is secure & safe for anonymizing connections.