PPTP, MS-CHAPv2 & IPv6

Dear users,

lately you wrote us a lot of e-mails regarding the security of the VPN.

One issue has been that you were concerned about your origin IP address not being hidden anymore behind a PTPP tunnel established to us. Second, a lot of articles have been released on the web, all relating to the talk about cracking MS-CHAPv2 by David Hulton and Moxie Marlinspike at Defcon 20. A rough overview is given here.

The first issue relates to an attack, where the origin IP address of a PPTP tunneled connection can be revealed when a PTPP connection is configured to use IPv6. Since our install guides all describe that IPv6 needs be turned off where possible, this should not be an issue for you. Furthermore we block IPv6 traffic from passing through the VPN servers.

Now for the second, and most important part. Before David's and Moxie's talk on Defcon 20, it was known that MS-CHAPv2, the authentication mechanism also used in our PPTP setup, can be broken when weak passwords are used. Basically, this means if the password is simple, it can easily be brute-forced. In his Cryptanalysis of Microsoft's PPTP Authentication Extensions Bruce Schneier concludes, that the fundamental weakness of the authentication and encryption protocol is that it is only as secure as the password chosen by the user.

That being said, we know that PPTP cannot be a long-term solution for VPN connections and that we urgently need to support other VPN protocols.

Some time ago, we started to implement support for OpenVPN connections, and let users beta test it. After closing down the beta phase, analyzing problem reports and redesigning the OpenVPN dial-in mechanism we are now on the way to make OpenVPN available again for you. As a further alternative, we also started to include support for L2TP/IPSEC into the software images deployed to our infrastructure.

As a reaction to the attention and the omni-presence of PPTP security on the web, we changed our time schedule and decided to postpone work related to translating website content, since this eats up a lot of time in the website's development process. We know that being multilingual will be a beloved feature, but for now, priorities need to be shifted.

We are working as fast as possible to make OpenVPN and L2TP/IPSEC dial-in ready as soon as possible.

The IPredator team