PPTP discontinued
2014-12-17
We knew for a long time that the PPTP connection method was very broken and since Snowden it was known that PPTP had been compromised by the NSA.
In SecurityKISS we kept the PPTP service running because it was easiest to set up on mobile phones and tablets.
We were warning users that they should not expect confidentiality from PPTP. It was targetted at users who needed to change their IP address for video streaming and where confidentiality was not of paramount importance.
There is an old saying in the security world: "there is always a tradeoff between security and convenience". We believe we were standing too long on the wrong side of that tradeoff and today we concluded that the warning is not enough so we decided to discontinue PPTP service in SecurityKISS.
We recommend using OpenVPN instead.
For really critical content and secure communication please use end-to-end encryption.
Here is the excerpt from Wikipedia for the technically inclined:
PPTP has been the subject of many security analyses and serious security vulnerabilities have been found in the protocol. The known vulnerabilities relate to the underlying PPP authentication protocols used, the design of the MPPE protocol as well as the integration between MPPE and PPP authentication for session key establishment.
- A summary of these vulnerabilities is below:
- MS-CHAP-v1 is fundamentally unsecured. Tools exist to trivially extract the NT Password hashes from a captured MSCHAP-v1 exchange.
- When using MSCHAP-v1, MPPE uses the same RC4 session key for encryption in both directions of the communication flow. This can be cryptanalysed with standard methods by XORing the streams from each direction together.
- MS-CHAP-v2 is vulnerable to dictionary attack on the captured challenge response packets. Tools exist to perform this process rapidly.
- In 2012, it was shown that brute-force attack on MSCHAP-v2 is equivalent to single DES key brute-force attack. Online service was presented, which is capable to restore MSCHAP-v2 passphrase's MD4 in 23 hours.
- MPPE uses RC4 stream cipher for encryption. There is no method for authentication of the ciphertext stream and therefore the ciphertext is vulnerable to a bit-flipping attack. An attacker could modify the stream in transit and adjust single bits to change the output stream without possibility of detection. These bit flips may be detected by the protocols themselves through checksums or other means.
For those who do not feel overwhelmed with details here is one more thing that justifies our decision. This Security Advisory 2743314 shows that the MSChap2 we used, which is the strongest authentication protocol in PPTP, is less secure than it was previously believed.
Stay safe and remember to use end-to-end encryption for the critically important stuff.
--------------------------SecurityKISS Team