Also known as the Point to Point Tunneling Protocol, PPTP has historically the most common protocol in the world of Virtual Private Networks, providing the data of VPN users with a reliable way to protect their data as they surf the web, send emails or buy products online.

This post is a handy primer for anyone asking what is PPTP. We’ll introduce a few aspects of this crucial online security tool, looking at where it comes from and how it works. We’ll also have a look at some of the pros and cons of the PPTP protocol, and whether PPTP security still measures up in the modern world.

The history of PPTP: how it started

There’s nothing new about PPTP, and as we’ll see, many security experts feel that it’s past its use by date. The PPTP protocol first appeared back in 1995, when it was introduced by Microsoft for use in Windows-based private networks, although it had been in development for a decade before that.

PPTP built on an earlier standard known as PPP (Point to Point Protocol), which as you might expect, lacked the security provided by “tunneling”, which we’ll get onto in a moment.

After its introduction, PPTP was included in every version of Windows, and also became a staple of Linux users after 2005, while many VPNs started to use it as an effective way to wrap users’ data securely.

However, since its introduction, there have been doubts about PPTP security. Experts raised alarms about “man-in-the-middle attacks”, where criminals interposed between two connections without being detected. Others have identified problems relating to “brute force” password attacks, encouraging VPN providers to find new ways to secure their networks.

The meaning of PPTP

PPTP is a protocol – meaning that it represents a standard set of rules by which computers communicate with each other. Without protocols, the internet wouldn’t be possible, and they need to be standardized to allow the net to operate worldwide.

How does it work?

What PPTP does is to encrypt data on a user’s computer according, before creating a “tunnel” between the user and whoever they seek to make a connection with. The tunnel makes sure that the connection is made with a protective layer, providing (in theory) protection against infiltration from start to finish. At both ends of the tunnel, PPTP also authenticates the data packets being transferred, beginning and completing the process.

As far as the PPTP port settings go, when you use the protocol, your system employs a specific PPTP port, which is both TCP port 1723 and IP port 47.

Why we need tunneling protocols during the VPN process

Without PPTP, VPNs would not have been possible. Most web traffic is transmitted via the TCP/IP standard, and PPTP was designed specifically to create tunneling based on TCP/IP.

TCP/IP in itself offers almost no security. It’s simply a means of moving data packets around, and can be easily inspected at any stage in the transmission process.

With a PPTP-based tunnel in place, data moved around via TCP/IP can be “wrapped” in a layer of security, encrypted, and authenticated at either end, making things much more difficult for would-be snoopers.

Is PPTP secure?

Security is probably the major drawback of using PPTP in the VPN process. In fact, many security experts now advise businesses to completely avoid PPTP based systems, even if it’s convenient to use Windows protocols out of the box.

From the very beginning, using a PPTP server has been a risky idea for security conscious web users. By 1998 (three years after the protocol was launched), hackers had published ways to extract password hashes from users employing the MS-CHAPv2 authentification protocol, which is part of the PPTP package.

Hackers can also get hold of users’ RC4 keys, which opens up even more devastating vulnerabilities. In fact, with this exploit, attackers can easily decrypt any traffic processed by a PPTP-based VPN, rendering the VPN obsolete.

Then there are problems with the tunneling process, where experts have highlighted the lack of integrity tests on PPTP encrypted packets, allowing hackers to access the contents of data packets and even change them if they desire.

Obviously, none of this is desirable for business or personal users of VPNs, but many Virtual Private Networks still use PPTP for a variety of reasons.

Summarizing the pros & cons

Before we totally write off PPTP as a basis for effective VPNs, it’s handy to run through the advantages and disadvantages of the protocol.

PPTP advantages:

  • PPTP comes packaged with Windows and is a widely used standard, making it convenient for everyday users.
  • Using PPTP is comparatively easy, as it doesn’t use an IPsec layer, reducing the need to install extras like public key infrastructure or computer certificates.
  • It’s cheap as well as easy, making setting up PPTP-based VPNs a popular option for small businesses without huge IT resources.

PPTP disadvantages:

  • As we’ve seen above, using a PPTP server comes with added security risks compared to public available alternatives (see below).
  • Performance of PPTP tends to deteriorate when large amounts of data are being handled, making it sub-optimal for streamers or torrenters.
  • PPTP will usually necessitate the use of a PPTP passthrough, as many routers from some manufacturers don’t work well when it’s used with VPNs.

Alternatives to PPTP

Given the real security concerns around PPTP, it’s not surprising that developers have come up with alternatives with more focus on performance and security (and it’s also not surprising that many of these come with added costs for professional users).

    • If you’re asking yourself is PPTP secure, OpenVPN is one of the most popular and trusted alternatives. It doesn’t come as standard on Linux, Windows or smartphone platforms, so some extra software may be needed to set up clients and an OpenVPN passthrough, but high-quality VPN providers usually include this setup in their packages. With 256-bit SSL encryption, OpenVPN is right up there with the best security protocols around.
    • L2TP/IPSec is another option. It tends to come bundled with IPsec encryption, unlike PPTP, and is often included with Windows. Developed by Cisco and Microsoft, it’s more expensive but often works well for business VPNs where security really matters.

Know your protocols and stay secure when using a VPN

If you’re tempted to use the cheapest, most accessible free VPNs, think twice about the PPTP protocol. Aside from PPTP passthrough issues, the security concerns around the protocol are just too much for serious users. So think hard and pick a VPN with a protocol you can trust.