Wait! We Have a Special Deal!

Get CactusVPN for $3.5/mo!

Save 64% Now
30-Day Money-Back Guarantee

What Is SSTP? (Your Guide to the SSTP VPN Protocol)

What is SSTP?
SSTP is a pretty well-known VPN protocol - especially among Windows users. But what is SSTP, actually? And how does it work and compare to other VPN protocols? Well, in this article, we’re going to offer you an in-depth guide on everything you need to know about the SSTP VPN protocol.

What Is SSTP?

SSTP (Secure Socket Tunneling Protocol) is a VPN protocol that was developed by Microsoft, and introduced by them with Windows Vista. Newer Windows versions have been offering native support for the SSTP VPN protocol since then.

The protocol is designed to secure online data and traffic, and is considered a much safer option for Windows users than PPTP or L2TP/IPSec.

How Does the SSTP Protocol Work?

SSTP works by establishing a secure connection between a VPN client and a VPN server. Basically, the protocol creates a secure “tunnel” between the client and the server, and all the data and traffic that passes through that tunnel is encrypted.

Like PPTP (Point-to-Point Tunneling Protocol), SSTP transports PPP (Point-to-Point Protocol) traffic, but – unlike PPTP – it does it through a SSL/TLS channel. Because of that, SSTP offers significantly more security than PPTP since SSL/TLS provides traffic integrity checking, secure key negotiation, and encryption.

Due to the use of SSL/TLS, SSTP servers must be authenticated when a connection is established. SSTP clients can be optionally authenticated too.

General Technical Details About the SSTP VPN Protocol

  • SSTP uses TCP port 443 – the same port used by HTTPS traffic.
  • SSTP is often compared to OpenVPN thanks to the high level of security it offers, and the fact that it can bypass NAT firewalls.
  • SSTP doesn’t generally support site-to-site VPN tunnels. Instead, it supports roaming since it uses SSL transmissions.
  • SSTP only supports user authentication. The protocol doesn’t support device or computer authentication.

What Is Secure Socket Tunneling Protocol Service?

The “Secure Socket Tunneling Protocol Service” is a feature that was introduced with Windows Vista, and is also present on Windows 7, Windows 8, and Windows 10. Basically, it’s a service that offers support for the SSTP VPN protocol, allowing it to connect to remote devices through VPN connections. If the service is disabled, you won’t be able to access remote servers using the SSTP protocol.

You might also see that the “Secure Socket Tunneling Protocol Service” is related to the “SstpSvc.dll” file. You should avoid messing with that file or deleting it since it provides the SSTP service functionality on the Windows platform.

How Secure Is the SSTP Protocol?

Generally, SSTP encryption is considered relatively safe to use when you’re browsing the web. Many people even compare its security to the one offered by OpenVPN – most likely because it uses SSL and encapsulates data packets over HTTPS. What’s more, it can also use the AES encryption cipher, making it even safer.

However, it should be mentioned that there are two issues with SSTP:

1. It’s Susceptible to the “TCP Meltdown” Problem

Without getting too technical, that’s an issue that might occur with the TCP connection that’s created within the VPN tunnel, and takes places over the TCP transmission protocol. Basically, a TCP connection (the VPN one) contained within a TCP connection can result in a conflict between the two connections, which culminates in connectivity issues.

On its own, the “TCP Meltdown” problem isn’t really a huge security flaw with SSTP, but if you need round-the-clock online security or VPN encryption during critical moments (like when you’re downloading torrents, for example), it can be an annoying issue.

2. SSTP Is Owned by Microsoft

Another problem some people have with the SSTP VPN protocol is the fact that it’s closed-source and solely owned by Microsoft. While there is no evidence to showcase that SSTP was intentionally weakened or even cracked, it’s no secret that Microsoft has closely collaborated with the NSA in the past – even going as far as offering them access to encrypted messages.

What’s more, Microsoft belong to the PRISM surveillance program, and was even the program’s first partner. If you’re not familiar with PRISM, it’s a surveillance program run by the NSA which offers them access to emails, documents, and other user data that’s stored by major companies. So, it’s not far-fetched to think that the SSTP protocol might (emphasis on “might”) have been compromised by the NSA during or after development.

Overall, how good the security of the SSTP VPN protocol is solely depends on how much you trust Microsoft.

SSTP VPN Speed – What Should You Know?

SSTP offers decent online speeds most of the time, though you might encounter some slowdowns if you don’t have enough bandwidth or a relatively strong CPU. Don’t forget – SSTP uses pretty strong encryption, and that can lower your online speeds, especially if a powerful encryption cipher is used too.

Also, you should consider the fact that there are plenty of other factors that can influence the online speeds you get when using an SSTP VPN connection.

SSTP Advantages and Disadvantages

Advantages

  • SSTP encryption offers a decent level of security, almost on par with OpenVPN (SSL 3.0 + 256-bit encryption).
  • SSTP is easy to configure on platforms it is built into.
  • The SSTP VPN protocol is very difficult to block because it uses TCP port 443 (the same one HTTPS uses).
  • SSTP offers good speeds if you have enough bandwidth.

Disadvantages

  • SSTP is closed-source and solely owned by Microsoft, a company that is well known to collaborate with the NSA.
  • The SSTP protocol is available on a limited number of platforms – Windows, Linux, Android, and routers.
  • SSTP connections could be dropped if the network admin spots the SSTP header (which is possible to do since the protocol doesn’t support authenticated web proxies).
  • Since SSTP only works on TCP, it is susceptible to the “TCP Meltdown” issue.

What Is an SSTP VPN?

An SSTP VPN is a service offered by a VPN provider that gives you access to a ready-to-go SSTP VPN connection. Normally, you just need to download and install a VPN client, connect to a VPN server, and you’re good to go

Ideally, you shouldn’t stick to a VPN provider that only offers you access to the SSTP VPN protocol. It’s best to pick a provider who can offer you variety when it comes to choosing the VPN protocol you want to use.

Looking for a Reliable SSTP VPN Provider?

CactusVPN is exactly the service you need then. We offer highly-secured SSTP VPN connections – we use AES military-grade encryption, RSA-2048 handshake encryption, and the ECDHE key agreement protocol to secure your data. What’s more, we don’t keep any logs, so you get to enjoy 100% privacy with our service

Also, SSTP isn’t the only VPN protocol you can use when you access the web. We offer access to five other protocols as well: OpenVPN, SoftEther, IKEv2/IPSec, L2TP/IPSec and PPTP.

Enjoy VPN Connections on Tons of Devices

No matter what VPN protocol you want to use, our cross-platform compatible VPN applications have got you covered. What’s more, we designed them to be extremely user-friendly too.

CactusVPN app

Special Deal! Get CactusVPN for $3.5/mo!

And once you do become a CactusVPN customer, we’ll still have your back with a 30-day money-back guarantee.

Save 64% Now

SSTP Compared to Other VPN Protocols

Here’s an in-depth overview showcasing how good or bad the SSTP VPN protocol is compared to the other VPN protocols you can use:

SSTP vs. OpenVPN

Security-wise, both VPN protocols are decent options since they can use strong encryption keys and ciphers, and also use SSL 3.0. But unlike SSTP, OpenVPN is open-source and is not solely owned by Microsoft. That makes it easier for online users to trust that the protocol offers reliable security with no potential loopholes.

Besides that, OpenVPN can also use the UDP transmission protocol alongside the TCP one which is used by SSTP. As a result, you’re likely to get better online speeds with OpenVPN than with TCP. Also, OpenVPN isn’t susceptible to the “TCP Meltdown” issue mentioned above.

And while SSTP can’t really be blocked by firewalls easily since it uses port 443 just like OpenVPN (the HTTPS port), it does have one weakness – the fact that it doesn’t support authenticated web proxies. Why is that a problem? Well, if SSTP uses a non-authenticated web proxy, the administrator of a network could potentially detect SSTP headers. In that situation, they could drop the connection if they want to.

OpenVPN is also available on more platforms than SSTP. While it is convenient that SSTP is natively built into Windows operating systems, and thus can be easily set up, it can only be configured on routers, Android, and Linux. OpenVPN, on the other hand, can be set up on all those platforms, including many others (like Windows XP, macOS, iOS, FreeBSD, OpenBSD, Solaris, and NetBSD.

Oh, and OpenVPN could potentially be more stable than SSTP when it comes to network changes. That’s because OpenVPN has the “float” command, which could ensure OpenVPN connections don’t drop when you switch networks.

Want to read more about OpenVPN? Check out our in-depth article on it.

SSTP vs. IPSec

Both protocols offer a pretty good level of security, though you might have to be a bit more careful when configuring the IPSec protocol since it’s easier to mess up the protection it offers if it’s not configured properly. On the plus side, IPSec works on more platforms than SSTP, like macOS, Windows 2000, Solaris, FreeBSD, OpenBSD, and NetBSD.

Also, IPSec is much easier to block with a firewall than SSTP. Since SSTP uses TCP port 443 (the same port used by HTTPS), a network admin or ISP can’t really block it without also blocking all other online activities. IPSec traffic, on the other hand, can be blocked if the network admin or ISP blocks IP protocols 50 (which stops the Encapsulating Security Payload offered by IPSec) and 51 (which would stop the Authentication Header used by IPSec). The same can happen if port 500 is blocked since it’s the port used for IPSec’s Internet Security Association and Key Management Protocol (ISAKMP).

In terms of speed, there’s a chance that SSTP might be faster than IPSec because it can take IPSec longer to negotiate a VPN tunnel. A lot of online users have also been complaining, saying that IPSec tends to eat up a lot of resources – something that can further lower online speeds.

IPSec is normally paired with L2TP or IKEv2, but you might see VPN providers who offer IPSec as a protocol on its own. Overall, we’d recommend using SSTP over IPSec if possible.

In case you’d like to learn more about IPSec, follow this link.

SSTP vs. IKEv2/IPSec

If you’re mostly interested in security, you should know that both SSTP and IKEv2/IPSec offer a similar level of protection. IKEv2/IPSec might be a bit more trustworthy than SSTP, though, since it’s not solely owned by Microsoft. Instead, it was developed by Microsoft together with Cisco. Also, there are open-source implementations of IKEv2 available online.

In terms of cross-platform compatibility, IKEv2/IPSec has limited support just like SSTP, but it still has an advantage since it also works on iOS, macOS, and BlackBerry platforms.

As for speed and stability, IKEv2 might potentially be a bit faster than SSTP since it uses UDP, but it’s unfortunately also easier to block than SSTP because it only uses UDP port 500. If a network admin blocks it, IKEv2/IPSec traffic is blocked altogether. SSTP, however, uses TCP port 443, which is much harder to block. Still, IKEv2 has a very nice perk when it comes to stability – MOBIKE (IKEv2 Mobility and Multihoming), a feature that allows the protocol to seamlessly resist network changes without the connection being dropped.

In the end, IKEv2/IPSec is only a better option than SSTP if you use your mobile device a lot and travel often, or if you’d prefer an open-source alternative to SSTP that’s easy to set up on Windows platforms and BlackBerry devices.

If you’d like to read more about IKEv2/IPSec, check out this article.

SSTP vs. L2TP/IPSec

Generally, SSTP is a much more secure option than L2TP/IPSec, though it is worth mentioning that some online users have an easier time placing their trust in L2TP/IPSec because it’s not solely developed by Microsoft. However, L2TP/IPSec is easier blocked with a firewall than SSTP, making it overall less reliable.

In terms of connection speeds, L2TP/IPSec is inferior to SSTP because it uses double encapsulation – meaning it encrypts online traffic twice. There’s also a chance that L2TP/IPSec is more resource-intensive than SSTP.

On the other hand, L2TP/IPSec is available on more platforms than SSTP. What’s more, L2TP is even built into more devices and operating systems than SSTP, which is only built into Windows Vista and higher.

If you were to choose between SSTP and L2TP/IPSec, we’d say you’d be better off with SSTP.

In case you’re interested in learning more about L2TP, follow this link.

SSTP vs. PPTP

Both SSTP and PPTP have been developed by Microsoft, though PPTP was developed by Microsoft together with other companies. When it comes to security, SSTP surpasses PPTP because it offers better protection – especially since it has support for 256-bit encryption keys, while PPTP can only has support for 128-bit keys.

Normally, that wouldn’t be a huge issue for PPTP users, but the main problem is with PPTP’s own encryption – MPPE – which is very flawed. Also, it has been shown that the NSA can crack PPTP traffic.

The only way PPTP is better than SSTP is when it comes to speed and availability. Due to its poor encryption, PPTP offers very fast connections. Also, PPTP is natively built into many platforms, though it is worth mentioning that – due to the protocol’s poor security – it might not continue to be natively included in future operating systems and devices. For example, PPTP is no longer natively available on macOS Sierra and iOS 10 (and newer versions).

Interested in finding out more about PPTP and its security issues? Check out our article on it to learn more

SSTP vs. SoftEther

SSTP and SoftEther both seem to offer a decent level of security when it comes to high encryption and supported ciphers, but SoftEther is simply more trustworthy because it’s open-source and because it isn’t owned by a company that’s been known to collaborate with the NSA. Also, SoftEther has a wide variety of security features that make it even stronger.

Speed-wise, there’s a chance that SoftEther is faster than SSTP since it was programmed with fast throughput in mind. Also, SoftEther is allegedly 13 times faster than OpenVPN, and SSTP speeds are often considered to be on a similar level to OpenVPN connection speeds.

Now, it’s true that SoftEther might be more difficult or inconvenient to set up than SSTP. After all, SSTP is natively built into Windows platforms, so it can easily be configured with a few clicks. What’s more, if you use a third-party VPN service that offers SoftEther connections, you’ll still need to download and install the SoftEther software on your device.

On the other hand, SoftEther works on more platforms than SSTP, which is only available natively on Windows operating systems, and can be manually configured on routers, Android, and Linux. SoftEther works on all those platforms, and on other operating systems and devices like iOS, FreeBSD, Solaris, and macOS.

Another difference worth mentioning is the fact that the SoftEther VPN server actually offers support for the SSTP VPN protocol – alongside many other VPN protocols like OpenVPN, L2TP/IPSec, IPSec, and SoftEther. An SSTP VPN server doesn’t offer such flexibility.

Overall, SoftEther is a much better option than SSTP – especially if you are looking for an open-source alternative.

If you’d like to learn more about the SoftEther protocol, follow this link.

SSTP vs. WireGuard®

We believe both protocols can secure your data. But if you’re obsessed with privacy, stick with WireGuard. It’s open-source and not owned by Microsoft.

You shouldn’t experience random disconnects with either protocol. However, SSTP gets an extra point because network admins can’t easily block it. The protocol uses TCP port 443, which is the HTTPS port. WireGuard only uses UDP ports (a lot of them, though).

WireGuard is less resource-intensive than SSTP, so you’ll always get smoother speeds.

WireGuard actually works on more platforms since macOS and iOS don’t support SSTP out of the box.

If you want security, both protocols are decent options. But if you want security, guaranteed privacy, and speed, then stick to WireGuard.

Want to learn more about Wireguard? Check out this article.

Considering All That, Is the SSTP VPN Protocol a Good Choice?

Well, if you’re a Windows user and can’t use OpenVPN or SoftEther for various reasons, SSTP is the next best VPN protocol in terms of security and reliability. Of course, that depends on how much you trust the Microsoft corporation. If you’re not particularly worried about that aspect, though, SSTP could be a good choice then.

What Is SSTP? The Main Idea

SSTP is a VPN protocol that encrypts online communications between a VPN client and a VPN server. It’s generally considered as secure as OpenVPN, but many online users don’t trust it fully because it’s solely owned by Microsoft. Also, the protocol has limited cross-platform compatibility, only being natively available on Windows, and supporting configurations on Android, Linux, and routers.

Overall, SSTP is a good choice if you don’t mind the fact that it’s owned by Microsoft, and that it’s not open-source. We generally recommend using it only when OpenVPN or SoftEther are not valid options.

“WireGuard” is a registered trademark of Jason A. Donenfeld.

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *