Allow me to go update all of the affected systems I…or at least inform the people I know who…or at least look for relevant…
Okay, no, this is about as close to a useless security finding as I can imagine. And yet, untold amounts of compute (and energy, water, labor, etc.) were expended in creating this report.
There still are stick-in-the-mud ISPs requiring PPPoE, like my Vodafone/OpenReach VDSL service in the UK just a few years ago, and given OpenBSD's prevalence as a router OS, it's not completely marginal, but yes, it would be PPPoE as a client, not as a server, and thus difficult or impossible to exploit.
Reminds me of my friend Jason saying "ATM is the crack pipe of the Bellhead". PPPoE, even more so.
I know of at least a major ISP in Canada who still uses PPPoE (a friend bought special SFP PONs to bypass their router).
GP's reaction saddens me. Both the lack of knowledge and research (just assuming these technologies are not used anywhere, without so much as a single search) and the sheer anti-intellectualism of "why should anyone care about this/keep maintaining it". Security in legacy codepaths matter.
rcoder | 10 days ago
Oh no! It’s a bug in PPP authentication in 2026.
Allow me to go update all of the affected systems I…or at least inform the people I know who…or at least look for relevant…
Okay, no, this is about as close to a useless security finding as I can imagine. And yet, untold amounts of compute (and energy, water, labor, etc.) were expended in creating this report.
/me sighs
fazalmajid | 10 days ago
There still are stick-in-the-mud ISPs requiring PPPoE, like my Vodafone/OpenReach VDSL service in the UK just a few years ago, and given OpenBSD's prevalence as a router OS, it's not completely marginal, but yes, it would be PPPoE as a client, not as a server, and thus difficult or impossible to exploit.
Reminds me of my friend Jason saying "ATM is the crack pipe of the Bellhead". PPPoE, even more so.
vpr | 10 days ago
I know of at least a major ISP in Canada who still uses PPPoE (a friend bought special SFP PONs to bypass their router).
GP's reaction saddens me. Both the lack of knowledge and research (just assuming these technologies are not used anywhere, without so much as a single search) and the sheer anti-intellectualism of "why should anyone care about this/keep maintaining it". Security in legacy codepaths matter.
atmosx | 10 days ago
The irony is that they (supposedly) whine about entropy, so they decided to create more of it…
My ISP uses PPPoE (MAP-E) which is a relatively new tech that is being rollout to quite a few big ISPs in many “western” countries so…
jcelerier | 10 days ago
Bell in canada uses PPPoE for its FTTH offering, that's apparently 3.6 million users
davidbalbert | 10 days ago
At work we use PPP to do IP over serial in situations where Ethernet isn't available. Surprisingly common I think.