On Apr 5, 2012, at 2:51 PM, James A. Donald wrote: > On 2012-04-05 6:55 PM, Marsh Ray wrote: > > So I point out that one of the most commonly-used VPN protocols is > > completely ineffective and this is the reaction I get? Gee I expected > > more from you guys. :-) > > > > Perhaps I just phrased it wrong. Let me try again: > > > > Hey yall! > > There's this here NSA backdoor still lingering around from the 1990's! > > I guess we know what they wanted that big ole datacenter now for huh? > > One of the most commonly-used VPN protocols is completely ineffective. Also, > the pope is Catholic, and bears shit in the wood. > > When I set up a vpn, what usually happens is that the package offers me two > protocols, one that it deprecates as insecure (MS PPTP), and openvpn > > The setup info or the web page tells me that MS PPTP has the great advantage > that it is built in to Microsoft, and the great disadvantage that it is not > secure. > > So I think that pretty much everyone has already heard that MS PPTP is > insecure. Every time I set up a vpn, I am re-reminded, just in case.
Perhaps we're overlooking the fact that vast majority of Small & Medium Business VPN implementations are done by hassled IT people, not security experts who care enough to sign up for encryption mailing lists. Perhaps someone should Scan The Internet(TM) for PPTP (1723/TCP). I assure you it's still very much alive. Edit: Just did a string search on Shodan (free account) and it returned 240 results for "pptp." Keep in mind that's just in http/ftp server headers/banners, snmp attributes, etc. SFAIK it doesn't index other ports. PS People "know" passwords are insecure too, but 'password1' is everywhere. -- bk _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
