PPTP is broken: the oldest "secret" in the industry

Encouraging best practices in the VPN industry via independent, community-certified verification of clean installers and clean basic service operations. Let's reward the good, and make the bad a little bit less tempting 〰 github repo#cleanVPN

PPTP is broken: the oldest "secret" in the industry

Post by cryptostorm_admin » Mon Jan 14, 2013 12:51 pm

Thirteen years ago, two security researchers showed that the proprietary PPTP VPN protocol was broken. Badly broken. It's still broken today.

Despite that, the first consumer-focussed VPN service - Relakks - launched with PPTP as the only VPN protocol available. Why? Simple - because it's simple. PPTP is built into Windows operating systems, because Microsoft was one of the core developers of this proprietary, non-open protocol. So a company offering VPN service doesn't have to make a new "client" application for Windows folks (and PPTP is nowadays baked into most all OS flavours, unfortunately); they can just use the existing interface at the customer OS level. So that saves work, and complexity, and makes it easy to launch a "VPN service" with next to zero technical skills or understanding.

Unfortunately, it also means that trusting customers are counting on a protocol to protect them - PPTP - that is deeply flawed. But that's how the VPN industry evolved.

To this day, many "VPN companies" continue to offer PPTP-based connections, despite the fact that - literally - a kid with an old Playstation console can brute-force the cryptographic primitives with 100% success in a matter of hours. That's because last year, even more bad news for PPTP came out: not only is the protocol broken, but now passwords used to protect it can be systematically cracked open, 100% of the time, in a few hours' time. With off the shelf tools, and not much heavy tech skills either (use of a packet sniffer and a few other such capabilities). As Bruce Schneier summarizes:
Some things never change. Thirteen years ago, Mudge and I published a paper breaking Microsoft's PPTP protocol and the MS-CHAP authentication system. I haven't been paying attention, but I presume it's been fixed and improved over the years. Well, it's been broken again.
He goes on to quote the researchers who operationalized this new attack:
ChapCrack can take captured network traffic that contains a MS-CHAPv2 network handshake (PPTP VPN or WPA2 Enterprise handshake) and reduce the handshake's security to a single DES (Data Encryption Standard) key.

This DES key can then be submitted to CloudCracker.com -- a commercial online password cracking service that runs on a special FPGA cracking box developed by David Hulton of Pico Computing -- where it will be decrypted in under a day.

The CloudCracker output can then be used with ChapCrack to decrypt an entire session captured with WireShark or other similar network sniffing tools.
Schneier is a pretty heavy hitter in the field of security research. He wrote the book, in fact. Literally - he authored Applied Cryptography, and his literary output since then has been both technically robust and widely appreciated beyond the confines of the tech ghetto. Schneier is... Schneier. To security insiders, he's one of the few people in the industry who speaks and we all listen. Always. He's not always right - but he's always well-considered and pragmatic in his analytic approach. These are super rare characteristics in this field. Schneier is a step above.

So when Schneier calls out a protocol - PPTP - as "badly broken" - over the span of more than a decade, that's not background noise. It's core knowledge. PPTP can be categorized, in Schneier's phrase, as "security theater" - it makes people feel like it is making them safer... but in fact it's not, and in giving a false sense of security, it leaves us worse off than nothing at all.

Seriously, PPTP is not a viable security tool. It might be good enough to keep the MPAA off your ass for sharing that Justin Beiber tune, but that's about it. And it might not even do that, if the MPAA goons decide they'll invest a few hours in unzipping all your "encrypted" packets on a whim. Like hiding inside a transparent building, putting your data inside PPTP is at best ignorant and at worst delusional.

PPTP isn't worth it's salt, and hasn't been for many years.