I would argue that VPN with no passphrase isn’t much better, but then, at least the end-user was happy.
I was written up for insubordination in a previous position, because I defied the manager of security’s request to configure PPTP with MS-CHAP(v1) for “legacy clients,” who he couldn’t name.
He was terminated about 6 months later after finding kiddie porn on his home computer. He was using the corporate network as a proxy. Sick people are everywhere.
You're right... I would have argued for a passphrase if the remote client were anything but his home desktop computer; I figured one copy in a fixed installation was probably only going to cause trouble if his computer was stolen from the house, and in that case I could revoke the cert more or less immediately on the server.
> I was written up for insubordination in a previous position, because I defied the manager of security’s request to configure PPTP with MS-CHAP(v1) for “legacy clients,” who he couldn’t name. He was terminated about 6 months later after finding kiddie porn on his home computer. He was using the corporate network as a proxy. Sick people are everywhere.
Good lord. That's really disturbing... both the pr0n crime, and the stupidity crime of using your own corporate network as a proxy, and trying to con another employee into participating. I suppose he didn't want to use TOR or something similarly suitable... anyway, yikes.