PPTP Insecure

Understanding the Point-To-Point Tunneling Protocol PPTP

When shopping for a VPN service, it is essential to fully understand what protocols are used and included with your service subscription. Just because a VPN company advertises there solution as a “Secure” VPN, does not mean they are using the best available security protocols to protect your information better. One specific security protocol is the PPTP or point-to-point tunneling protocol. PPTP is now an obsolete security protocol that used to be the way VPN connections were made over TCP connections on port 1723. Now, this same way of connection is established over UDP by most VPN services offered today. It is crucial to the secure VPN connection that you DO NOT use the PPTP protocol anymore as it has suffered numerous security breaches from vulnerabilities exploited on its behalf.


The MS-CHAP is a Microsoft version of the handshake protocol, which is what PPTP uses. Numerous vulnerabilities with both version 1 and version 2 that have caused even Microsoft to drop support for it from all of its older operating systems. The result of having MS-CHAP compromised is an attacker being able to extract the password hashes from your communications and then easily crack those hashes to get credentials. This means that any website, social media or bank account that requires you to login into would be compromised if your VPN were using PPTP.


Part of the Key exchange process used by MS-CHAP is the use of the RC4 cipher, which by default uses the same public key in both directions of the transaction and also has been determined as obsolete. This authentication exchange can be easily cracked and deciphered with any free open source tools. In general, regardless of if it is being used on a VPN service or a websites front end, the RC4 cipher should be removed and upgraded as soon as possible.


EAP-TLS is the best way to remedy the pitfalls of the PPTP authentication method, but unfortunately, you also lose the benefits of the protocol as well, thus making it irrelevant even continue to use it for a VPN in the long run. To implement EAP-TLS you would have to restructure the Client to server authentication infrastructure, which negates the positive benefits PPTP provides. At the end of the day, it is safe to say that if you are looking into a prospective VPN service to use for personal or professional purposes, it is advised you avoid any that include the PPTP protocol. Instead, look for a service that offers the IPsec protocol as it is one of the best if not the best protocol for a VPN known to date. If you are unsure of service to look into, try RingVPN and ask them about how to get all the benefits of a VPN solution with top of the line security included (without PPTP of course).