Skip to main content

This is a PPTP VPN intervention.

Six years ago (sigh), I wrote but never published this blog post begging users to find an alternative to the PPTP VPN protocol. They were already years out of date at that time. Even today, however, well-known companies like ExpressVPN are still providing PPTP to clients despite the fundamentally insecure nature of these types of tunnels. Consider this an intervention.

For years, the Virtual Private Network (VPN) has been a mainstay of those trying to keep snoopers away from their online activities. Its important to keep in mind that a VPN is one part of a secure and private online presence - without complementing the use of a VPN with additional tools and habits, the security offered is more narrow than many users believe.

There are two main reasons to use a VPN. 

First and foremost, a VPN is a means of encapsulating your network traffic within an encrypted "tunnel". This makes it extremely difficult to see or manipulate that network traffic. This is typically the type of VPN you would use to connect to a corporate intranet, for example to "login to the office from home". It is possible to purchase this type of VPN service, for example from an internet service, data center or virtual hosting provider. Alternatively, a business could configure certain types of routing devices (whether a router as such or a type of dedicated security appliance like a firewall) to provide VPN connectivity.

The second purpose of a VPN is anonymity. Under certain circumstances, a VPN can conceal a user's IP address. Anonymity of this kind if typically not possible when using a corporate intranet, unless it is used maliciously. Corporate VPNs are typically designed specifically to be audit-able, to be able to identify malicious network behavior and who was responsible after the fact. In order to anonymize traffic, VPN providers must carefully configure the equipment providing the VPN tunnel to make it very difficult to fully audit connections to those tunnels.

This has obvious appeal for criminals, who might use VPNs to hide their behavior on the internet. The situation isn't as black and white as it sounds, though. Some of the "criminals" using VPNs are simply trying to read a newspaper online that has been banned by their government, or to publish unpopular speech.

Users should exercise caution when using a third-party VPN provider, though. Whatever promises a VPN provider makes are just that: promises. It is practically impossible for most users to verify just how secure a VPN provider is. Users must still trust that the VPN provider lives up to their word about server or network architecture, logging practices, etc.

Despite that, users still have some control over just how good or bad their VPN security experience will be, and it has to do with protocol selection. Identify a secure VPN requires information about how the VPN is setup that we might not have access to. But identifying a bad VPN is often straightforward. Any VPN connection using an insecure VPN protocol will itself be insecure, and the user will always have access to why VPN protocol you are using.

There is one protocol in particular that has lingered well past its utility, and should be avoided at just about all costs: PPTP.

For many, many years, Microsoft's Point-to-Point Tunneling Protocol (PPTP) was the default VPN solution for Windows. I mean this in the literal sense - PPTP capability was installed as part of Windows starting all the way back in NT 4.0 and remains a component of Microsoft's OS networking suite as of Windows 8.1.

Microsoft's PPTP relies on a proprietary version of the Challenge-Handshake Authentication Protocol called MS-CHAP, for which there are two versions - MS-CHAPv1 and MS-CHAPv2 - which, as the name implies, handles authentication for initiating a VPN tunnel (MS-CHAP has commonly been used in a variety of other scenarios as well, like RADIUS). Meanwhile, PPTP relies on Microsoft Point-to-Point Encryption (MPPE) to actually encrypt the data transferred through the tunnel.

From its inception to this day, PPTP and the technology that underlies it has been riddled with significant security issues. The definitive cryptanalysis of the original PPTP platform using MS-CHAPv1 was published by Bruce Shneier and Peiter Zatko ("Mudge" of l0pht) in 1998. Their own summary of their findings demonstrates how ugly the truth was:

  • password hashing -- weak algorithms allow eavesdroppers to learn the user's password
  • Challenge/Reply Authentication Protocol -- a design flaw allows an attacker to masquerade as the server
  • encryption -- implementation mistakes allow encrypted data to be recovered
  • encryption key -- common passwords yield breakable keys, even for 128-bit encryption
  • control channel -- unauthenticated messages let attackers crash PPTP servers
  • PPTP VPN servers were susceptible to simple spoofing DOS attacks, passwords could be recovered, data could be decrypted and the protocol relied entirely on user passwords as an encryption key (compare such an archaic method with PSK encryption schemes which were available at the same time). As early as the late 90's software suites capitalizing on the insecurity of the Microsoft platform became widely circulated (like l0phtcrack).

    To their credit, Microsoft reacted quickly with an update - MS-CHAPv2 was introduced, and a variety of issues were resolved. The number of sessions was no longer leaked by VPN servers, spoofing became more difficult, bi-directional keys were added to prevent decryption using XOR and packet structure was updated to remove a mechanism that allowed a remote attackers to spoof password failure transactions to DOS a VPN server.

    With that said, Microsoft continued to offer support for MS-CHAPv1 for years, including in new products released after Microsoft was well aware of just how insecure their product was. The old PPTP implementation would not be deprecated until the release of Windows Vista in January 2007, eight years after the Shneir/Zatko cryptanalysis paper was published. Given the ease with which a transition could be accomplished from MS-CHAPv1 to MS-CHAPv2, it is impossible to reconcile a delay of that length with a genuine concern for user security. Those who continue to entrust mission critical security infrastructure to Microsoft products would do well to think long and hard about this episode in the company's history.

    That is not to say that the revised PPTP using MS-CHAPv2 is a good protocol. PPTP is not a good protocol and should never be completely abandoned.

    Many of the problems with the original protocol remain in the new revision. A year after their first publication, Schneir and Zatko released a second cryptanalysis of the new PPTP platform. As in the first version, the protocol's entropy remained completely dependent upon a user's password and vulnerable to passive brute-force techniques. Therein lies the crux of the problem.

    Fundamentally, a PPTP tunnel relies on a RC4 hash that in turn is used to encrypt three DES ciphers. In 1998, the Electronic Frontier Foundation's $250K "Deep Crack" platform won the DES Challenge II-2 by decrypting a DES-encrypted message in a mere 56 hours. "Deep Crack" was a single computer. Before the turn of the millennium, brute-forcing a relatively strong PPTP password would be a tall order with commonly available computational resources. Few hackers could afford a quarter million dollar box. That said, the claim that PPTP could ever provide security against a state-level attacker was always fanciful. VPN providers like Pirate Bay's iPredator continue to provide PPTP VPN service marketed as protection against government surveillance. Such a claim is among the worst kind of IT service malpractice imaginable, given the possible consequences to an activist or whistleblower who incorrectly entrusts their safety to such a service. It is not hyperbole to say that lives are literally at stake.
    iPredator VPN advertisement
    iPredator's VPN service landing page as of 2015. iPredator continues to offer PPTP VPN

    Fifteen years later, brute-forcing a PPTP tunnel RC4 hash can be accomplished within 24 hours by uploading the data to a service called CloudCracker. At the time of its release in 2012, the service relied on a 40-core, 48 FPGA single system built by Pico Computing. Furthermore, an opensource application called chapcrack can be used on its own or in conjunction with CloudCracker to fully decrypt sessions and tunnel password information. There are a number of other effective auditing tools as well - mschapv2acc comes to mind immediately (I apologize if I have left your own project out).

    At this point, anyone with even the most basic technical acumen and a $300 laptop can decrypt a PPTP session. The idea that a VPN like this would inhibit surveillance from a state actor, as iPredator did, is laughable.

    I have gone after PPTP not because it is the only insecure VPN platform, but because it is very likely the most commonly used insecure VPN platform. PPTP remains in wide circulation. It is long past due for PPTP to go the way of acoustic couplers and glide gracefully into the great beyond.