5.3.1 Unauthorized Client Connecting to an SSTP Server
In this scenario, an unauthorized attacker poses as a valid SSTP client and tries to connect to a valid SSTP server. The HTTPS connection goes through because the server does not authenticate the client at the SSL/TLS layer. The connection MUST be terminated by the SSTP server at the PPP layer after determining that the client has no proper user credentials. For more information, see [RFC1661].
Figure 9: Unauthorized client connecting to an SSTP server