Board logo

標題: [軟件] PPTP has been cracked - stop using it and migrate ASAP [打印本頁]

作者: ccw    時間: 2012-10-26 14:40     標題: PPTP has been cracked - stop using it and migrate ASAP

PPTP is no longer considered a secure VPN technology. PPTP relies upon MS-CHAPv2 which has been completely compromised. If you continue to use PPTP be aware that intercepted traffic can be decrypted by a third party 100% of the time, so it should be considered unencrypted. We advise migrating to another VPN type such as OpenVPN or IPsec.

This is not specific to pfSense, it is the entire PPTP protocol regardless of its implementation.

More information on this can be found at https://isc.sans.edu/diary/End+of+Days+for+MS-CHAPv2/13807 and https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/

We have placed a warning on the PPTP page in 2.1 and 2.0.2 stating this. Other VPN clients may not be as convenient, but PPTP is dead, it's time to move on. This also means that any bugs that are pending for PPTP are not likely to be fixed.

If you insist on using it, or have a client that insists on using it, be aware that it is not providing and real measure of security. In the case of a client requiring it, it may not be a bad idea to make them sign a waiver stating they were informed of this and chose to ignore it.

http://forum.pfsense.org/index.php/topic,54255.0.html

作者: rickywk    時間: 2012-10-26 15:09

終於cracked....
唉!
作者: potato    時間: 2012-10-26 18:00


作者: rickywk    時間: 2012-10-26 20:53

唉,呢個係好多admin o既惡夢...
PPTP呢幾年太hit o左好多,因為iPhone/Android原生已經支援,而L2TP好多時都死o係firewall...
我公司隻netscrren ssg5同Cisco PIX 515都passthru唔郁L2TP
作者: XT    時間: 2012-10-26 21:36

How to setup openvpn in ddwrt
作者: ccw    時間: 2012-10-27 14:09

引用:
原帖由 rickywk 於 2012-10-26 20:53 發表
唉,呢個係好多admin o既惡夢...
PPTP呢幾年太hit o左好多,因為iPhone/Android原生已經支援,而L2TP好多時都死o係firewall...
我公司隻netscrren ssg5同Cisco PIX 515都passthru唔郁L2TP ...
Android 4.0 up已經有app可以root-less連到OpenVPN,
係睇Apple點玩,不過其實Apple iOS都原生support到IPSec VPN, PPTP存亡對佢影響都唔大。
作者: ccw    時間: 2012-10-27 14:29

http://doc.pfsense.org/index.php/Android_VPN_Connectivity#Summary

Android VPN support 真係亂到痴左線,
Old version得的,upgrade左反而又冇左……
作者: rickywk    時間: 2012-10-27 14:52

引用:
原帖由 ccw 於 2012-10-27 14:09 發表

Android 4.0 up已經有app可以root-less連到OpenVPN,
係睇Apple點玩,不過其實Apple iOS都原生support到IPSec VPN, PPTP存亡對佢影響都唔大。
佢原生support到L2TP,要等班admin起過L2TP囉

Android...唉,真係唔好提
作者: qcmadness    時間: 2012-10-27 14:55

睇你點用VPN

PPTP夠方便
作者: ccw    時間: 2012-10-27 15:08

引用:
原帖由 qcmadness 於 2012-10-27 14:55 發表
睇你點用VPN

PPTP夠方便
其實都係差在有冇native support
OpenVPN 直頭乜都唔洗set,裝完一個含config 的setup.exe已經可以double click個OpenVPN icon來連。
作者: qcmadness    時間: 2012-10-27 16:08

引用:
原帖由 ccw 於 2012-10-27 15:08 發表

其實都係差在有冇native support
OpenVPN 直頭乜都唔洗set,裝完一個含config 的setup.exe已經可以double click個OpenVPN icon來連。
有native support差好遠
WinXP打後唔駛裝野都用到PPTP
作者: rickywk    時間: 2012-10-27 16:27

引用:
原帖由 ccw 於 2012-10-27 15:08 發表

其實都係差在有冇native support
OpenVPN 直頭乜都唔洗set,裝完一個含config 的setup.exe已經可以double click個OpenVPN icon來連。
當你要諗Win/Mac/iOS/Android...你真係只會諗原生支援o既VPN solution
作者: YCST    時間: 2012-10-27 18:22

睇返內文係MS-CHAP v2既問題
即係Wifi既WPA2-Enterprise都潛在有呢個問題
唔剩止PPTP VPN
作者: XT    時間: 2012-10-28 16:57

引用:
原帖由 YCST 於 2012-10-27 18:22 發表
睇返內文係MS-CHAP v2既問題
即係Wifi既WPA2-Enterprise都潛在有呢個問題
唔剩止PPTP VPN
其實佢爆到 CHAP v2就好多野都受影響
作者: rickywk    時間: 2012-11-3 20:49

今日有時間試下Win2k8+L2TP IPSec server...
兩個問題
1. 佢default又係rely-on MS-CHAP v2,即使佢可以EAP,但都只係EAP-MSCHAPv2,雖然話有IPSec PSK做encryption,但一日唔改第二隻authorization protocol,一日都係唔安全
2. Client機係NAT後面的話,Vista開始全部要改registry,DLLM M$!
http://support.microsoft.com/kb/926179
Android v4.1 + iOS 5.2都無事,係Win反而要改,M$你唔好去死




歡迎光臨 HKSpot (https://bbs.hk-spot.com/) Powered by Discuz! 6.0 Lite