EnglishFrenchGermanPolishSpanishTurkishRussianItalianDutchDutch

PPTP discontinued

2014-12-17

We knew for a long time that the PPTP connection method was very broken and since Snowden it was known that PPTP had been compromised by the NSA.

In SecurityKISS we kept the PPTP service running because it was easiest to set up on mobile phones and tablets.

We were warning users that they should not expect confidentiality from PPTP. It was targetted at users who needed to change their IP address for video streaming and where confidentiality was not of paramount importance.

There is an old saying in the security world: "there is always a tradeoff between security and convenience". We believe we were standing too long on the wrong side of that tradeoff and today we concluded that the warning is not enough so we decided to discontinue PPTP service in SecurityKISS.

We recommend using OpenVPN instead.

For really critical content and secure communication please use end-to-end encryption.

Here is the excerpt from Wikipedia for the technically inclined:

PPTP has been the subject of many security analyses and serious security vulnerabilities have been found in the protocol. The known vulnerabilities relate to the underlying PPP authentication protocols used, the design of the MPPE protocol as well as the integration between MPPE and PPP authentication for session key establishment.

For those who do not feel overwhelmed with details here is one more thing that justifies our decision. This Security Advisory 2743314 shows that the MSChap2 we used, which is the strongest authentication protocol in PPTP, is less secure than it was previously believed.

Stay safe and remember to use end-to-end encryption for the critically important stuff.

--------------------------

SecurityKISS Team