On 04/06/2012 03:23 AM, Peter Maxwell wrote: > On 5 April 2012 18:06, Marsh Ray <ma...@extendedsubset.com > <mailto:ma...@extendedsubset.com>> wrote: > > On 04/05/2012 04:12 AM, Ralf-Philipp Weinmann wrote: > > > Do you have statistics on that? I remember newer Microsoft and Apple > operating systems supporting L2Sec quite well. And then there > are the > Cisco abominanations of IPSec that are quite common. But maybe > not as > common as SSL VPNs. And let's not forget OpenVPN for the geek > faction. Where did you get the data that PPTP still is "one of the > most commonly-used VPN protocols". > > > Honestly, it's been years since I messed with VPNs and I have not > done methodical research. I suspect VPN industry studies are likely > to to be skewed by selection bias (IT departments who are likely to > spend spend money on a real VPN). > > > There's two reasons I haven't commented on this (despite it being good > work): > > i. I'm not familiar enough with PPTP, and always avoided it like the > plague anyway (and that was 10 years ago). Does dial-up not still > generally use MS-CHAPv2?
Not sure about dialup, but in 802.1x the combination of PEAP/MSCHAPv2 is still quite common (last seen about a week ago). Though without MitM-ing the outer layer (PEAP) it'd be difficult to use the MSCHAPv2 attack because the challenge is not in the clear, I guess. On the other hand, there's only a handful of people that supply the server cert for 802.1x, so MitM-ing shouldn't be hard in practice. Ondrej _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography