[pptp-server] PPTP Protocol insecurity

Justin Kreger lists at earthling.2y.net
Mon Jul 23 21:25:11 CDT 2001


The artical does point out a few truths to the crappyness of
pptp.  Basiclly, yes, pptp is crappy.  But ipsec is not mature enouf, nor
easy enouf to manage to where it is point and click.  That is where pptp
is popular at, its much more point and click.  IPSec is much more a WAN
protocal, than a VPN protocol.  Perhaps it is time to replace PPTP.

Perhaps this is why microsoft hacked up kerberos and used it to replace
NTLMv2, perhaps they relised it was just as insecure as mschapv2.  I think
the only way IPSec could  be widely used as a VPN protocol by anybdoy who
is not an systems engineer type, is for the ITEF to release a spec for
login/password authentication in IPSEC, perhaps a shared key, to initiate
a temporary secure connection, then some sort of CHAP protected by the
temporary encrption. 

Just my two cents

Justin Kreger, MCP MCSE CCNA
jkreger at earthling.2y.net jwkreger at uncg.edu justin at wss.net


On Mon, 23 Jul 2001, Sascha E. Pollok wrote:

> Dear fellows, ;-)
> 
> I know that this discussion might be really held a 1000 times
> but since I read an article regarding the possible
> MSCHAPv2 exploit today, I'd like to ask you people
> for your opinion.
> 
> The paper I read is:
> http://mopo.informatik.uni-freiburg.de/pptp_mschapv2/
> It is in English so go ahead.
> 
> It describes how relatively easy MSCHAPv2 might be
> exploited. So the question that I have to you is:
> 
> Do you worry about it? What do you tell your customers
> and are there good or any alternatives? Ok we could
> put some firewall rules in front of it but that's
> not a solution for most of the dialup-users.
> 
> We could use PPTP on top of IPSEC (like freeswan) but
> that's not really "smooth" and I never tried this
> with a Mac. The problem why we don't want to use
> IPSEC thingies is because of the easy to use PPTP
> features (like assigning IP-addresses, DNS and whatever).
> 
> Anyone?
> 
> Regards,
> Sascha
> 
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> --- To unsubscribe, go to the url just above this line. --
> 




More information about the pptp-server mailing list