Connecting to Microsoft VPN
Christoph Wickert
christoph.wickert at web.de
Tue May 4 13:12:50 UTC 2004
Am Di, den 04.05.2004 schrieb Gary Stainburn um 14:43:
>
> However, if you search the net, you will find MANY documents telling you why
> you should not do this. PPTP is a VERY insecure method.
>
Hey, I never told anybody to use PPTP. In fact, I usually tell people to
use OpenVPN or IPSec.
> (Sorry bit I can't cite anything specific here as it's a while since I
> investigated this stuff - I decided on the more restrictive but more secure
> port forwarding over SSH. (Other methods are available. No guarantee is
> provided either implied..........you know what I mean)).
short:
http://www.schneier.com/pptp.html
long:
http://www.schneier.com/paper-pptpv2.html
Quote:
"7 Conclusions
Microsoft has improved PPTP to correct the major security weaknesses
described in [SM98]. However, the fundamental weakness of the
authentication and encryption protocol is that it is only as secure as
the password chosen by the user."
Ok, it all depends on the password (and not on keys or certs). Now take
a look at:
http://mopo.informatik.uni-freiburg.de/pptp_mschapv2/pptp_mschapv2.html
Quote:
"Conclusions
While testing this software, we used a dictionary of about three
gigabytes containing about 74 million words. Equipped with this, we were
able to derive all passwords used in our test network in about four
hours.
It is true that dictionary attacks tend to fail on good passwords, but
it is enough to have one password to break into a system. The step to
gaining root access (or doing any other kind of abuse) from there is
small."
So I fully agree with you, Garry: Everybody, please do not use pptp. It
might be sufficient for a dialup with your laptop, but I would not dare
using it for a production system.
Christoph
More information about the fedora-list
mailing list