Talk:Point-to-point tunneling protocol

From Wikipedia, the free encyclopedia

[edit] Link to PPTP password sniffing software

I just want t see what everyone else thinks on this link at the bottom of the article which links to a piece of software allowing users to break into a PPTP connection. The site supplying the software claims that it's meant for showing the risks of using PPTP, but in the wrong hands it could potentially be used for maliciously against a network. Personally I don't like the idea of giving this software publicity to like this.

[edit] Is PPTP insecure by design?

Are long passwords a real protection?

No. Looking at the asleap code it seems that any password that can be found in a dictionary can be broken, in other words it appears to be similar in nature to cracking non-shadowed encrypted passwords from /etc/passwd. Pick a password that can't be found in a dictionary (combine letters/numbers/other characters etc.)

[edit] Inaccuracies and NPOV

OK, correct me if I'm wrong, but for a start it isn't the PPTP protocol itself that is weak, but the MS-CHAPv2 protocol. Here http://blogs.zdnet.com/Ou/index.php?p=21 it is suggested that EAP-TLS with PPTP is secure.

Also, being an encyclopedia article, I think it's hardly correct to make broad unsubstantiated claims like "PPTP is broken" and it "should not be used." I'm not saying PPTP/MSCHAP is a good system, but if you want to keep NPOV then the article should be written from a neutral, factual point of view, rather than giving an opinion/advice IMHO. E.g. state that "Some people believe PPTP is insecure" and give references, or even "this study shows PPTP is insecure in certain situations" and quote the study.

It should be noted that Schneier's 1998 article is based on the outdated MS-CHAP protocol, not the newer MS-CHAPv2. He has another article on his website analysing the v2 protocol and outlining the insecurities fixed in that version.

I agree that this section is badly POV, so I have moved it to the discussion area for more work. I checked on a local network security expert, and he agreed with my assessment.

PPTP Vulnerabilities

The security of PPTP has been entirely broken and PPTP installations should be retired or upgraded to another VPN technology. The ASLEAP utility can quickly recover passwords from PPTP sessions and decrypt PPTP VPN traffic. PPTP attacks cannot be detected by the client or by the server because the exploit is passive.

The failure of PPTP as a VPN protocol is caused by cryptographic design errors in the Cisco LEAP and Microsoft MSCHAP-v2 handshake protocols, and by key length limitations in MPPE. Both LEAP and MSCHAP-v2 derive session keys from user passwords, which are cryptographically weak.

Novasource 03:07, 21 January 2006 (UTC)

Any progress on implementing this section? I'm looking forward to it! --Damsleth 08:22, 29 June 2006 (UTC)

A quote was removed by "The Tao of Mac" because a self-proclaimed computer expert (lacks appropriate security credentials) commented on PPTP in a very short 2 sentence article. Check your sources people. The previously mentioned zdnet is more objectional because they are a)in the field of security b)probably have a better understanding of it and c)contacted Microsoft about PPTP and have responded to their suggestions appropriately. The ZDnet article should be linked in the Wikipedia article. —Preceding unsigned comment added by Moosebutter (talk • contribs) 00:06, 29 April 2008 (UTC)