Why 95% of HTTPS Sites Are Vulnerable and How a One‑Line HSTS Setting Can Secure Them

What is HTTP Strict Transport Security (HSTS)

HSTS is a security policy supported by modern browsers that forces browsers to communicate with a site only over HTTPS, mitigating HTTPS downgrade, man‑in‑the‑middle, and cookie‑hijacking attacks.

Prevalence of Misconfiguration

Recent Netcraft measurements show that roughly 95 % of HTTPS‑enabled servers do not send a valid Strict-Transport-Security header or have other essential security settings missing. The same proportion was observed three years earlier, indicating that many administrators have not adopted proper HSTS configuration. A significant number of the affected sites belong to banks and other financial institutions.

Typical Attack Without HSTS

When HSTS is absent, an attacker can force a user’s request to downgrade from HTTPS to plain HTTP or to a weaker cipher suite, allowing the attacker to intercept or modify the traffic.

One‑Line Configuration

Adding a single header to the HTTPS server configuration enables HSTS: Strict-Transport-Security: max-age=31536000; The max-age value of 31 536 000 seconds (one year) tells browsers to remember that the site must be accessed via HTTPS for that period. After the header is received, browsers automatically rewrite any manually entered http:// URLs to https://.

Reference

Original report: http://news.softpedia.com/news/attackers-can-hijack-95-percent-of-all-https-connections-501924.shtml