

Microsoft says don't use PPTP and MS-CHAP - Suraj-Sun
http://www.h-online.com/security/news/item/Microsoft-says-don-t-use-PPTP-and-MS-CHAP-1672257.html

======
Mithrandir
Here's Moxie Marlinspike's blog post about the MS-CHAPv2 vulnerabilities:
[https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-
cha...](https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/)

Bruce Schneier also wrote about MS-CHAPv2 vulnerabilities back in 1999:
<https://www.schneier.com/paper-pptpv2.html>

------
zokier
I don't see anywhere in the KB article advising not to use PPTP. MS only
recommends switching tunneling tech as an alternative to using more secure
authentication method with PPTP (ie PEAP).

Besides incorrect title, the final remark about OpenVPN is bit trollish imho.

~~~
juan_juarez
Yeah - why would MSFT suggest an open source solution when they have their own
tech? When have you ever seen MSFT suggest an open solution?

~~~
MattHarrington
You may be surprised to hear that there's lots of stuff happening with open
source here at Microsoft. ASP.NET MVC, the Azure SDKs, and F# are all open
source. Check out this blog for more: <http://blogs.technet.com/b/port25/>.

------
nolliesnom
Does anybody have more information on the claim in this article that WPA2 is
insecure too?

~~~
zokier
It's only insecure if MS-CHAP is used for authentication, ie when used in
WPA2-EAP mode. More commonly WPA2-PSK is used, which remains unaffected.

~~~
ajross
In English this means that if you're using the standard "share a single
password for the wifi network" mode that all consumers understand, you're
fine. If you're in an enterprisey environment where you use your own wifi
password that is the same as your login password elsewhere, you're in trouble.

~~~
kbolino
You _may_ be in trouble. There are other forms of EAP that do not use MS-CHAP,
like EAP-TLS.

