by Hawke Robinson published Jul 26, 2016 11:40 PM, last modified Jul 27, 2016 12:26 AM
I stumbled across something that might indicate that Google (correctly in my view), stubbornly refused to include one of the most popular VPN (Virtual Private Network) technologies, the protocol PPTP, because of all the flaws published in my research paper by the SANS Institute, and in a discussion with a Google Chrome OS volunteer developer directly linked to my paper as to the reason why they refuse to implement this technology that is in every other operating system...

If my research paper really did influence their decisions regarding a core technology, that is a very pleasant surprise. I could be reading this wrong, but it sure looks like my research paper, published by the SANS Institute clear back in 2002, may have directly influenced development decisions in Google's Chrome OS, and ongoing as recently as 2014...

Kudo's to them for looking out for their end users, that would otherwise be severely vulnerable if using PPTP. They may "only" be "volunteer developers", and have the usual disclaimers, but since my paper is the number one result for this topic...

They directly reference my research paper!category-topic/chromebook-central/beta/I3Z8Qc_1UYE on the SANS Institute website: Malware FAQ: Microsoft PPTP VPN (by Hawke Robinson).

The developer states: "The foundation of anything done on a ChromeOS system is SECURITY. This causes problems with many commonly used protocols if they cannot meet a minimum acceptable level of security and resistance to hacking. From all appearances PPTP fails that test. Read this detailed Malware FAQ: Microsoft PPTP VPN study from SANS. Their conclusion is: "The best option would be to migrate away from PPTP to one of the other protocols such as IPSec." "

And in response to further urging, he responded with:

"I do understand what you are asking, and all I can say is that it's probably not going to happen, for the reasons I detailed. Don't shoot the messenger. ChromeOS security is not going to get compromised that way."'

Nice that all my efforts were not in vain.

To be clear, the above only validates that a volunteer developer cited my paper, but in the open source world, being run by mostly volunteers, and with none of the other developers refuting his statements to the user, and also that the official OS still does not support this common protocol...

While Microsoft continued to deny, deny, deny, and keep exposing everyone to so many vulnerabilities, Google at least in this instance lived up to their old motto of "Don't be evil", and was looking out for their users.

And here: PPTP (VPN) for Google Chrome OS - Google Chrome OS does not support the PPTP protocol. It only supports L2TP and OpenVPN protocols. Please see the guide for L2TP here and the guide for OpenVPN here. Both these protocols are stronger in encryption than PPTP.

 I am rather surprised that after all these years, people still think PPTP is a viable VPN option. Microsoft has continued to deny. And since PPTP is a much easier to use VPN technology than most of the others, it was arguable the most widely used option, though as tools have become more robust for the other technologies, there has been some significant change. I can't believe that as recently as 2014 a major company cited my 2002 research, and that the debate was still fresh in 2015!

I am glad my hours of research work helped protect at least a few people, and that at least one of the Google Chrome developers found my paper of value in standing up to what was probably considerable pressure to add a feature available in all the other operating systems.