Published on August 24th, 2013 | by magnus0
Can NSA Crack VPN?
The NSA surveillance can penetrate VPNs”, writes Thomas Claburn, Editor-at-Large, at informationweek.com on August 1st, 2013. A VPN encrypts the traffic between you and the VPN server and most VPNs rely on 3 protocols to accomplish this, PPTP (Point-to-Point Tunneling Protocol), L2PT (Layer 2 Tunneling Protocol), and OpenVPN.
At least PPTP and L2PT have been hacked, hence most people would find it at least plausible that the NSA can monitor encryption-protected web traffic. This begs the question, can the NSA crack VPN?
It is interesting to note that the Guardian article Claburn references does NOT mention VPNs at all or even encrypted Internet traffic for that matter. Security researcher Askhan Soltani tweets ”This is huge: XKeyscore slides suggest NSA regularly decrypts VPN traffic,” again a claim I was unable to verify using the references provided. But, Moxie Marlinspike (@moxie) showed in a 2012 article that MS-Chapv2 can be cracked with a 100% success rate, leading to the logical conclusion that “PPTP traffic should be considered unencrypted,” because PPTP VPNs use Ms-Chapv2.
Credit where credit is due, the NSA will at least be able to penetrate PPTP-based VPNs. L2TP/IPSec with AES 256 bit key encryption, another protocol used by VPN providers, is the first publicly accessible and open cipher approved, and get this, by the NSA for top secret information, making it at least doubtful that the NSA is able to routinely monitor L2PT/IPSec encrypted traffic.
One problem with L2TP/IPSec is that it is difficult to set up, hence not ideal for consumer applications. OpenVPN, generally considered more secure than L2TP/IPSec, is the least likely penetrated protocol used by VPN providers therefore the safest from this perspective.
Wether the NSA can penetrate all protocols used by VPN providers remains a mystery and before credible evidence to the contrary is available, it is reasonable to consider VPNs using L2TP/IPSec or OpenVPN with strong encryption safe to use.
We have contacted a couple of VPN providers asking for their expert opinions on the matter and will publish their responses once those become available.