PPTP VPN safe?

Discussion in 'privacy general' started by jrmhng, Jun 13, 2009.

Thread Status:
Not open for further replies.
  1. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Hi all,

    I'm wondering if PPTP VPNs are safe? I've read that weak passwords are easy to crack but what does that mean? What specifically about PPTP VPNs makes weak passwords even weaker? If a strong password is used, will that avoid the problem? Any other issues with PPTP VPNs?

    Thanks
    Jeremy
     
  2. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    PPTP VPN has poor security implementation. It is designed for connectivity, not privacy (a la microsoft). If you are trying to get privacy or anonymity, you can forget PPTP because it leaks not only your DNS requests but also your normal traffic.
     
  3. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Thanks for the response Steve. Are there any articles you can reference so I can have a thorough read?
     
  4. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Probably not. Most VPNs have been using PPTP for a while and don't want to disclose these inconvenient facts. Only in the last year or two have the VPN services started to copy our lead and use an OpenVPN implementation, which can also leak but leaks less.
     
  5. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    How does PPTP leak normal traffic? Doesnt it defeat the whole purpose of a VPN? Or was the purpose to allow easy connectivity into a corporate network for example?
     
  6. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Like a sieve. zing! It seems to just stop talking via the connection to the destination if the connection becomes less convenient or if the wind changes directions. When in doubt, blame microsoft.

    Correct, sir.
     
  7. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Thanks for your pointers. I will do some further reading!
     
  8. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    PPTP VPN is fine for part time use, which is it's primary purpose...say to have someone VPN to the office to gain access to resources internal to the office network.

    Ease if implementation is what made it so popular also, built in client in Windows since Windows 95 and DUN 1.2.

    It doesn't "leak", there are some "man in the middle attacks" which eventually can get in when the connection is up for a long enough period of time. Pretty much attacks simulated in a lab environment..not the real world.

    Most of the attacks are done against the server, not against clients or active tunnels. Long as you have a good user/pass....you're quite safe.

    For full time tunnels..like between branch offices 'n such..IPSec..or better yet...SSL VPN is what's taking over. SSL is taking over nicely for part time remote users also...due to many of the appliances having a very easy to support setup/client install (mostly just a tiny javabased thin client that installs through the road warriors browser).
     
  9. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Thanks for the response. So if no one is actively trying to get into your vpn, PPTP dosent just 'leak' the contents of the the tunnel? But if PPTP is on for a long time, theres enough enough information from looking at the traffic that may be able to do a man the middle attack? Any references you can point me to?
     
  10. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Incorrect. PPTP does leak all on its own. Go try a free RELAKS PPTP vpn demo and watch 100% of your traffic leak because the PPTP connection is unstable and does not support internal DNSing.
     
  11. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Using a piracy anonymous surfing service and you're wondering about security on information? o_O Wow.

    What do you mean doesn't support internal DNSing? Depends on how the client is setup, it's not part of the VPN itself, it's part of the VPN dialer settings on the client. As well as split tunnel allowance or not.
     
  12. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Relakks claims they provide anonymity. It is a similar claim to others using PPTP, and the result is similar as well. When using the PPTP connection, DNS requests don't end up going through the PPTP connection as the user would suspect. Instead they leak to the default adapter which resolves them using the default DNS/Gateway settings.

    We tested about 5 PPTP providers a few years ago and posted the results here. They all leaked DNS, and most of them leaked the data streams themselves. This should be prevented at the client level, but isn't. This should be prevented through server-side pushed configs, but isn't. It isn't an improper implementation of PPTP, PPTP just isn't sufficiently designed for anonymity or privacy, only connectivity.

    edit: PPTP is not acceptable for anonymity or privacy implementations. MS-CHAP is an authentication protocol for PPTP, but that is like talking about the security of a lock on a door that is wide open. L2TP is not good either. However, L2TP over IPSec is fine. IPSec / GRE on its own is good but brittle. Mixed PPP is fine but rare. SSL is good but you have to be careful about your implementation for the socket connection (dll hooking? local proxy?). OpenVPN is just TLS, which is the replacement for SSL.
     
    Last edited: Jun 15, 2009
  13. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    A couple of OT posts moved offline.

    Let's keep the discussion focused on the thread topic and not personalities. Thanks in advance.

    Blue
     
  14. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Just to be clear though, there isn't anything wrong with PPTP as a Tunneling Protocol. It is the MS implementation that is leaks dns? Also, the MS authentication protocol, MS CHAP v1 has a massive hole in it.

    Is this interpertation right?
     
  15. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    No, it isn't limited to MS implementation. PPTP is not appropriate for anonymity , only connectivity in non-critical private networks. PPTP leaks. Period.
     
  16. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    What is wrong with PPTP? How does it leak? Does it leak anything else apart from DNS?
     
  17. I no more

    I no more Registered Member

    Joined:
    Sep 18, 2009
    Posts:
    358
    Here are responses that already answered your questions. Steve has basically said PPTP is inherently flawed and that your traffic may bypass the VPN at any time for any reason. That means that your traffic will flow through your ISP unencrypted (like you're not even using a VPN).

    I don't know if this is correct or not but the answers are all here.


     
  18. stap0510

    stap0510 Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    104
    Believe me, he's right on this.
    Not only does PPTP easily leak data (mainly, but not only, DNS queries), but also doesn't give proper feedback of these sorts of infringements on its security.

    In other words: risky business.
     
  19. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    1) Here he is talking about the MS implementation of PPTP with MS CHAP and not the protocol itself
    2) I would like some sources for what he is claiming.

    I'm reading and the only thing I've come across is that MS CHAP v1 is badly broken and MS CHAP v2 is susceptible to dictionary attacks because the keys are derived deterministically from the password.
     
Loading...
Thread Status:
Not open for further replies.