[Ach] VPN related thoughts

Niklaus Schiess nschiess at adversec.com
Mon Nov 25 15:34:56 CET 2013

Hi everybody,

I just noticed this project at last week's Deepsec in Vienna and I think
it is very important. As I read through the paper and the git repo, I
also noticed the lack of information about several VPNs. So I have some
thoughts/questions to share/ask:

* A few days ago a PPTP section was commited
(cc024c061975fe968501401b4782e314fe75fb33). I agree, PPTP is really bad
and should not be deployed anymore due to the lack of integrity and weak
encryption by MPPE (which uses RC4). But the really "broken" part of
PPTP is the MSCHAP-v2 challenge-response authentication. But besides
that, PPTP can also authenticate cients/servers by e.g. EAP-TLS (based
on X509 certificates). Is there a reason why alternative authentication
methods liek EAP-TLS aren't/won't be covered in this paper?

* As some kind of successor of PPTP, SSTP
(http://msdn.microsoft.com/en-us/library/cc247338.aspx) should be added
to the VPN section. It's Basically just an interlayer to carry PPP
frames within SSL sessions (which by the way also uses MSCHAP-v2 per

* The cipher listing in the OpenVPN section of "available and
recommended" ciphers doesn't include Blowfish (BF-CBC). Why?

Thanks in advance for any answers and keep up the good work! :)

Niklaus Schiess

PGP FP: CB84 8C68 ADDB 6C50 7DF1 4227 F2A6 056A A799 76DA

More information about the Ach mailing list