back to article Did you know iOS 10, macOS Sierra has a problem with crappy VPNs? You do now

With Apple's iOS 10 and macOS Sierra beta now out in the wild, one important non-feature of the OS is giving some network admins headaches. The latest version of the iPhone/iPad/Mac operating system, released ahead of the iPhone 7 launch, removes support for point-to-point tunneling protocol (PPTP) connections. This means that …

  1. John Crisp

    Rare praise

    I rarely praise Apple for much but this is certainly a good move.

    How long til Microsoft get off their butts and drop support?

    It isn't as if there haven't been other options available for years.

    I suppose it is typical of companies & organisations who can't be arsed to change and will only do so when forced.

    Or has there been pressure applied to keep it to make some peoples lives easier ?

    1. a_yank_lurker Silver badge

      Re: Rare praise

      I wonder how much of this is the PHBs setting IT priorities that have nothing to do with real needs.

    2. Anonymous Coward
      Anonymous Coward

      Re: Rare praise

      If most VPN routers would properly implement reliable IPSec this would not be a problem. But in my experience, if you want a stable VPN connection you either have to run PPTP or a proprietary POS like Cisco's AnyConnect.

      1. Ilsa Loving
        Thumb Up

        Re: Rare praise

        There's another alternative: OpenVPN. It's an SSL-based VPN similar to Cisco's AnyConnect.

        And it's free and open source, and some routers even have direct support for it so you can VPN into home network. 3rd party router firmwares like DD-WRT have supported OpenVPN for years, along with other AAA protocols like Radius.

    3. Anonymous Coward
      Anonymous Coward

      Re: Rare praise

      Where I work, we use a PPTP VPN - with encryption switched off.

      HOWEVER, there are precisely two machines that are reachable across it, and only port 22 is allowed to either of them and the SSH authentication enforces 2-factor authentication. So, you get the simplicity and ease of use with PPTP, and the encryption with SSH and additional authentication security of 2FA.

    4. Anonymous Coward
      Anonymous Coward

      Re: Rare praise

      Work is now frantically updating from pptp to l2tp because the MD cannot login with his ipad XD

  2. cashxx

    SSTP

    I wish Apple would put in support for SSTP. I asked a few years ago and never heard anything back. I said to drop PPTP and replace it with SSTP.

  3. jamesb2147

    Really?

    Who encourages this? Old tech that's still in use needs more than "an announcement from Apple" a few weeks before support is dropped! When my Cisco gear is not going to be supported anymore, I'm given literally YEARS of warning (I think 5 years is Cisco's minimum policy, but I could be wrong).

    Dropping support for insecure protocols is all fine and dandy. Dropping it with weeks of notice, published on an obscure technical part of your web presence (how many clicks from Apple.com does it take to reach this notice?), with no reasonable workaround available is shameless and inappropriate.

    I used to run one of these networks. We didn't specifically use PPTP on our VPN, but I could see us having made that choice at some point in the past and stuck with it to today. I sure as hell never heard anything about this, and the only thing I can say I would have done better is to have run the beta myself before its public release. I can't say for sure that I would have noticed this kind of feature breaking, however.

    And that makes me think bad on Apple. Killing old tech is fine, but we plenty of time and ample warning in the IT departments that eternally understaffed.

    1. Adam 1

      Re: Really?

      Did they not consider popping up a warning whenever you connect to such a VPN for the post 6 months. I mean if a protocol is bad enough from a security perspective to drop entirely, Shirley you can justify nagging anyone still using it and retire it gracefully.

      1. Uk_Gadget

        Re: Really?

        And dont call me Shirley

        1. SleepGuy

          Re: Really?

          Roger.

          1. Jamie Jones Silver badge
            FAIL

            Re: Really?

            Sure, a few weeks is a redicuously small amount of time.

            However, PPTP has been known to be flawed for years, and so any so-called VPN company that still uses it doesn't warrant sympathy, and is lucky not to get sued.

            It's not "Virtua; PUBLIC network" after all

            1. Adam 1

              Re: Really?

              >However, PPTP has been known to be flawed for years.

              Your post is confusing two issues together; the security vulnerabilities in the protocol (which to my mind justify the decision to sunset it) and the length of time that is reasonable for people to get their backsides into gear and use a proper protocol.

              To my knowledge, there has been no amazing breakthrough that has come to light in the past month or so that means that today is the day it's got to go. These vulnerabilities have been publicly known to exist since before Mountain Lion, but they didn't announce their sunset plans any time in the past 3 years to anyone who doesn't visit some obscure forum.

              As a better model, look at how other companies are handling the transition away from sha1 certificates. Whilst the attacks against them are still believed to be impractical, we are coming close enough to realising them that we know they shouldn't be used. The big browser makers no longer accept as secure any sha1 certificate signed after a certain date and once that period has elapsed they won't be trusted at all. Sure owners don't like hearing about broken padlock icons so get properly signed ones.

              1. Jamie Jones Silver badge

                Re: Really?

                Your post is confusing two issues together; the security vulnerabilities in the protocol (which to my mind justify the decision to sunset it) and the length of time that is reasonable for people to get their backsides into gear and use a proper protocol.

                Nah. The only potentially confusing things about my post were the apalling typos!

                You, though, seem to be confusing the issue by comparing the migration off of a protocol reaching EOL with one that reached EOL years ago - what companies still decide to support is immaterial - if you are using a flawed product, migrate off it. Don't continue to use it just because Microsoft or Apple etc. still ship with it.

                To my knowledge, there has been no amazing breakthrough that has come to light in the past month or so that means that today is the day it's got to go. These vulnerabilities have been publicly known to exist since before Mountain Lion, but they didn't announce their sunset plans any time in the past 3 years to anyone who doesn't visit some obscure forum.

                As I said in my post, the timescale is ridiculously short, but:

                As a better model, look at how other companies are handling the transition away from sha1 certificates. Whilst the attacks against them are still believed to be impractical, we are coming close enough to realising them that we know they shouldn't be used.

                Exactly. Fixing the issue before it becomes a problem.

                The PPTP thing has been known for years. Therefore companies should have migrated of it years ago.

                They don't need Apple to tell them when to do so.

                So whilst the timescale is short, they should have migrated years ago already, which is why I have as much sympathy as I would for someone still relying on SHA1 (gnutella, freenet etc. - not just SSL stuff) 10 years after it's been cracked - if Apple then made a similarly short-notice announcement.

          2. Fungus Bob
            Megaphone

            Re: @SleepGuy

            STOP ROGERING SHIRLEY!!!!!

  4. Nate Amsden

    WEEKS

    that's plenty of time to prepare, really. I don't use apple and have never used PPTP but seems weak of them to do.

    Sort of like firefox saying "oh this is not secure https so I won't let you connect no matter you know what you are doing or not".

    But from what I've read at least apple allows a somewhat easy rollback to earlier OS? Such an option doesn't seem to exist for android (maybe it does after rooting or something). I've used android 5 on one pf my note 3s for 4 months now and am happy to stick to 4.4 on my main phone. I keep wifi off so ATT can't sneak in an upgrade when I'm not looking.

    1. hypernovasoftware

      Re: WEEKS

      Reverting to an earlier version of iOS is not supported by Apple.

      1. Richard 12 Silver badge

        Re: WEEKS

        It is effectively impossible to do roll back any iOS update whatsoever.

        Android can be rolled back at will if rooted, however I understand it to be very difficult (perhaps now impossible) otherwise.

        1. Daniel B.

          Re: WEEKS

          iOS rollback is supported, as long as the previous version is still being signed by Apple.

          1. Anonymous Coward
            Anonymous Coward

            Re: WEEKS

            if you do rollback an apple-thing, then you normally have quite a short window until the signing for the just superseded OS is removed.

            you can d/l many previous zipped device-specific iOS's here, for example

            https://ipsw.me/otas/iPhone8,4

            there are a few hackers working on "APTickets", which are a new form of SHSH blobs that might allow you to downgrade, but require you to have saved them previously. . .?

            1. x 7

              Re: WEEKS

              Weeks?

              Bloody pathetic. Takes the average corporate environment months, if not years, to decide and approve new networking solutions. I can see the obvious answer for many would be to cull Apple equipment from the network

              1. Terje

                Re: WEEKS

                While you are generally correct in this, I see that in this case it is unlikely to be a long procedure as the main users of apple crap tend to be bosses that like them because they are expensive and the colored crayon department because they have nice rounded corners. As these two groups are much more important then any others i bet changes will no doubt be rushed through in no time!

              2. Ilsa Loving

                Re: WEEKS

                A company sufficiently large that it takes months or years to make this kind of decision, would have moved away from PPTP a very long time ago. PPTP has been a crap VPN protocol for at least a decade now.

                Absolutely no one should be using it beyond a desperate, last resort, or out of sheer cheapness/laziness, in which case I have a really tiny violin around here somewhere...

                1. David 124

                  Re: WEEKS

                  I disagree.

                  Any company and security pro has totally done away with the need for a VPN to secure data.

                  VPN should only now be in use to bypass geo-blocking.

              3. David 124

                Re: WEEKS

                Hear Hear..

                This will just make us seriously evaluate the huge cost Apple inflicts..

                We ONLY use VPN to access Geo-blocked websites.

                We base secured all our apps and access behind HTTPS in 2003 and don't need a secure VPN.

                PPTP is exactly the correct protocol for us.

    2. kotaKat

      Re: WEEKS

      I hated when Chrome did that cruft and started throwing "Server has a weak ephemeral Diffie-Hellman public key" and locked me out of internal applications.

      Because I can somehow convince a vendor overnight to suddenly become compliant, right?

      1. gnasher729 Silver badge

        Re: WEEKS

        You can convince them quickly if you call support every 15 minutes asking for an update. And ask the other Mac / iPhone users to do the same.

  5. Neil Alexander

    PPTP should have been dead years ago.

    Congratulations go to Apple.

  6. JimmyPage
    FAIL

    Damned if you do, damned if you don't

    Microsoft gave everybody *years* of advance warning that XP was going to go end-of-life when it did.

    Result ?

    Loads of cheapskate big organisations just laid back thinking "we've got plenty of time" and fuck all gets done. Until they wake up and find they out of support.

    Dr. Johnsons comnent about focusing the mind seems approrpiate.

    1. Anonymous Coward
      Anonymous Coward

      Re: Damned if you do, damned if you don't

      In fact if you look at the monthly numbers that El Reg posts fairly regularly, there are still millions of XP users in the US, and it is probably safe to assume the same is true in the EU also.

  7. Dave 15 Silver badge

    windows 10 unusable

    Rendered so by company network which wasnt perfect, strangely enough the one at home is better.

    BUT

    windows 10 is a wart in the a... tract of mankind. This morning I switched on my machine to check a timetable.... 25 minutes later it was still doing an update I didnt ask for, didnt want and was stoppign me doing what I paid good money for a computer to do. I am going to upgrade the machine to windows 7 or linux this weekend.

    Just how an os can make a quad core 2.2 ghz machine with 8 gb high speed ram and a highspeed solid state disk run worse than my old 286 did I really dont know, but windows 10 manages it

    Perhaps we should install software in all the cars on the Microsoft campus, randomly when they want to go to the shops, hospital or work it will just lock doors, seal windows and sit there spending half an hour updating before it allows you to get out???? Perhaps then they will realise what a real PITA this is.

    1. Ilsa Loving

      Re: windows 10 unusable

      Reminds me of when I tried to play an old CGA pinball game, designed for an 8088 computer, on my new 486. It was completely unplayable because it didn't do any CPU frequency checks, so I had approximately 0.25 seconds between launching the ball and seeing a vague blur dropping into the catch at the bottom of the table.

      Those were the days. Kids today will never know the pleasure of adjusting jumpers to change your modem's IRQ and memory addresses!

  8. Anonymous Coward
    Anonymous Coward

    Im glad PPTP has had

    A nail driven into its coffin. However, PPTP is the most widely supported VPN protocol that tends to "just work".

    IPSec is a minefield. Especially with the likes of Checkpoint and their myriad VPN clients.

    It also doesnt help that Windows 10 has dodgy credential management.

    Ive generally been using L2TP with an IPSec policy for a while now and that seems to be almost as easy for users to grasp as PPTP.

    If I had to suggest a decent alternative id suggest Open VPN. Its pretty solid and has wide support for various operating systems and as a bonus is reasonably easy for users to operate.

    1. SleepGuy
      Thumb Up

      Re: Im glad PPTP has had

      A few years ago we switched away from PPTP/IPSec to OpenVPN for both site-to-site and road warriors and it's been absolutely outstanding. Reliability has been amazing and it "just works."

      1. Nolveys

        Re: Im glad PPTP has had

        I've had good experiences with OpenVPN as well. The only issues I've had with it revolved around its reliance on OpenSSL (key generation is a bit of a PITA and it was hit by Heartbleed).

        IPSec is convoluted and weird, setting it up is always a battle.

  9. fnusnu

    This is what happens when management don't listen to their technical staff

  10. Gis Bun

    Errr. I think Apple should of notified users [and organisations] weeks ago. Another Apple failure.

    1. Anonymous Coward
      Anonymous Coward

      They did, the article even points that out. Apple had stuff up on their web site over two months ago, and there were articles about the iOS 10 beta mentioning it as well.

      I agree with those who suggest that maybe they should have had some sort of pop up or similar notification in iOS 9 when connecting to a PPTP VPN, but PPTP's use by date expired years ago.

  11. Anonymous Coward
    Anonymous Coward

    PPTP had a fatal weakness exposed four years ago

    http://www.h-online.com/security/features/A-death-blow-for-PPTP-1716768.html

    If anything, Apple (and everyone else) should have done this several years ago. PPTP is easily crackable, with no way to prevent it.

  12. Anonymous Coward
    Anonymous Coward

    *cough* BT Openreach VPN Client*cough*

    Been told that iPhones belonging to a certain 'national telecoms company' fall over if latest IOS is installed. Dunno mate, was just standing here when some grease monkey whispered those words in my ear.

  13. Anonymous South African Coward Silver badge

    Ding dong the witch is dead...

    About time too.

  14. David Roberts

    OpenVPN?

    Just had a quick look and it isn't supported natively by Windows 10.

    One way round the update which broke some OpenVPN clients last year was to use the built in PPTP client.

    So which solution "just works" for Windows platforms, is still secure, and is easy to set up on a home server?

    I am a little constrained on an upgrade path because I have a noddy VPN running on a Pi for occasional use by people travelling who need to seem to be in the UK and I need to have them all in the UK at the same time to avoid breaking the access for those abroad. Running PPTP because it was easy to set up and it was also supported natively in Windows.

    Thankfully I have no IOS users. Oops; should be iOS. Could be a Cisco kid in there somewhere.

  15. Jimmy Cohen

    I am using Ivacy VPN. They are offering PPTP, L2TP and OpenVPN protocols in Mac app. But, after the launch of Sierra they launched a beta app for Sierra users. This version does not have PPTP and is working fine. Expecting they will soon launch its full version.

  16. David 124

    Even more reason to ditch apple

    We use PPTP because we want a tunnel, NOT for security.

    IKEv2 and L2TP are seriously problematic especially when double-NAT'd or on hotel or Cafe hot-spots.

    We secured all our mail and data access behind HTTPS ages ago, so don't need yet another IT support headache with users calling in cos the VPN doesn't work in the crappy hotel they are in.

    Occasionally for some web systems you need to 'appear' from your home network. PPTP very nicely achieves this with very little overhead. As the overlaying web connections are HTTPS it's nuts to waste performance and bandwidth adding an un-needed layer of security.

    So NO. I think this is a retrograde step and forces adding a layer of security often where one is NOT needed, wasteful and costly in support.

    Think.. what do a company want a VPN for..

    is it security?

    1/ outlook over HTTPS - nope secure by design.

    2/ access to intranet sites - nope these use HTTPS

    3/ access to internal file data.. - Nope these went over to WebDAV-HTTPS 12 years ago

    4/ Access to internal app - Nope these are HTTPS-RDP already secured.

    5/ remote access to work desktop - Nope these went HTTPS-RDP in 2003

    5/ what else is there?

    I would argue that there is very little and the base application access should be default secured without relying on the possible presence of a secured VPN. Fix the security issue AT SOURCE and not rely on the sticky-plaster that a VPN provides. Any admin that states that their security is provided by a VPN is failing to address the fundamental security issues at the base applications.

    In my mind a secure VPN is a temporary work-round or patch to briefly use until a proper solution can be found.

    So what is a VPN for?

    PPTP defines the right usage (in my mind) spot on.

    It is a Point-to-Point tunnel, whereby the user appears to egress onto the internet from a known location (IP Address). It is NOT about providing any form of security or encryption.

    Where is this useful/needed:

    a) accessing a suppliers website (HTTPS) that is locked to IP address block (we have several of these)

    b) accessing geo-blocked websites like the BBC

    c) accessing google search and getting correct country results for your home country

    The geo-block bypass is really the last remaining need for using a VPN and this DOES NOT NEED SECURITY.

    #rant over

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021