Overview

In essence, tunneling is a means to protect identifying and sensitive information such as IP address, location, browsing history, and access credentials. Tunneling protects the information using a two-step process. First, data is encapsulated, which puts it into a format that can be transmitted across a network and disguises what type of information is being conveyed. The second step is encryption that prevents anyone intercepting the encapsulated data from decoding it.

Description

SSTP aims to allow users to connect to a remote network device by creating a secure VPN connection. SSTP uses port 443 to send data encapsulated using Point-To-Point (PPP) or Layer Two Tunneling Protocol (L2TP) over a Secure Socket Layer/Transport Layer Security (SSL/TLS) channel. It was developed by Microsoft to integrate data encryption to PPP and L2TP to allow secure remote access over networks. As it was specifically designed to implement secure remote client access, consequently it is not suitable for creating site-to-site VPN tunnels. However, it offers significant advantages when creating a VPN tunnel from a client device to a VPN server.

SSTP embraces the advantages of establishing an SSL protocol, including 256-bit encryption, traffic security checking, and key negotiation. These features offer significant benefits over Point-to-Point Tunneling Protocol (PPTP) and L2TP/IPSec.

User data is encapsulated using the PPP protocol or L2TP and then re-encapsulated using SSTP. SSTP tunnels are created using Transmission Control Protocol (TCP) Port 443, emulating Hypertext Transfer Protocol Secure (HTTPS) traffic. The security of the connection is based on authentication of the SSTP tunnel to ensure only authorized users and services have access and encryption of the data sent along the tunnel once communications are established. The PPP data is encrypted using 256-bit AES encryption based on either Microsoft’s Challenge-Handshake Authentication Protocol (MS-CHAP) or the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS). This the process that allows a user to authenticate with an Internet Service Provider (ISP) server. SSTP servers must be authenticated during the SSL/TLS phase, where an encryption request called a certificate is exchanged. SSTP clients can optionally be authenticated during the SSL/TLS phase and must be authenticated in the PPP/L2TP phase. The use of PPP/L2TP allows support for standard authentication methods, such as EAP-TLS and MS-CHAP. Details of SSTP implementation are available from Microsoft.

SSTP uses the SSL/TLS  channel over TCP 443 port, and traffic may be indistinguishable from regular HTTPS traffic. It may be identified by ISPs or firewalls looking to block VPN traffic. However, it is possible to examine the traffic in transit and identify SSTP header information that will give away that it is not HTTPS traffic. The SSTP header information will be visible as SSTP does not support the use of authenticated web proxies to hide this information.

Advantages

As SSTP was developed solely by Microsoft, it is integrated as a standard feature in all currently supported versions of Microsoft’s operating system. This makes it readily available and straightforward to set up for Windows users, requiring no additional software.

SSTP uses a robust AES algorithm with 256-bit encryption offering levels of security comparable with the OpenVPN protocol. One benefit of using a protocol with a robust encryption algorithm is the protection offered for sensitive information such as data exchanged with online financial or healthcare service providers or the use of e-commerce websites.

Disadvantages and Vulnerabilities

The main perceived disadvantage of SSTP over protocols such as OpenVPN is it is a Microsoft proprietary protocol that is only available as an integrated service for Windows operating systems. The protocol is available for other operating systems such as Linux and Android but is not as straightforward to install and configure. The source code is not available for independent audit for vulnerabilities raising question marks over its security. The close ties between Microsoft and the US National Security Agency (NSA) have led to speculation that backdoors and other vulnerabilities have been integrated into the protocol to facilitate Government monitoring. This is based on the knowledge that PPTP has been broken by the US National Security Agency (NSA). L2TP is rumored to have suffered the same fate. Both these protocols were developed by a consortium that included Microsoft.

SSTP is more restricted in its applications than L2TP due to its design as a remote access protocol, intended for roaming using SSL transmissions rather than site-to-site tunneling. As such, SSTP only supports user authentication and not client device authentication. This can restrict how SSTP is configured and used. Also, unlike OpenVPN, SSTP connections will drop out when switching between networks.

SSTP is one of the families of protocols based on the use of TCP tunnels within a VPN connection over a standard TCP connection prone to the TCP meltdown problem. This situation arises if there is insufficient available bandwidth on the un-tunneled network to guarantee that the tunneled TCP timers do not expire during transmissions. If the available bandwidth is inadequate, then the messaging process fails, and latency dramatically increases. This knock-on effect causes an increased insufficiency in available bandwidth, exacerbating the problem until the point where the TCP tunnel stops operating correctly. This can be a significant issue if a TCP meltdown problem occurs during a critical operation, such as accessing financial services or downloading a torrent file.

The use of a robust encryption algorithm results in a relatively slow encryption speed, which can adversely impact network bandwidth and latency. This makes this protocol unattractive, where large data throughput is required for applications such as multimedia content streaming and online interactive gaming.

Summary

SSTP is considered more secure than PPTP and L2TP/IPSec and is more difficult for ISPs and firewalls to block VPNs using this protocol. This makes it attractive for a general use VPN where privacy protection and sensitive information are the priority rather than the throughput of data. However, as a Microsoft propriety product, its availability for non-Windows-based devices is more limited and, where available, is more complicated to install and configure. The security offered depends on the absence of identified but unpatched weaknesses or deliberately integrated vulnerabilities and backdoor functions. The lack of independent scrutiny of the source code means that flaws may well be known to sophisticated attackers but not reported in the public domain.