A large amount of today’s HTTPS traffic can be hijacked through trivial attacks. If the server admin fails to set up the HTTP Strict Transport Security (HSTS) properly, then the HTTPS traffic becomes very prone to hijacking.

HSTS is the one of the most widely accepted Web security policy which is currently supported by almost all Web browsers. HSTS helps the server admins to protect their users and themselves against the man-in-the-middle attacks, HTTPS downgrades and cookie hijacking for HTTPS connections.

A recent study from Netcraft suggests that about one in twenty, i.e., about 95% of all the servers running HTTPS currently fail to set up the HSTS properly or have some configuration errors which makes the server-client connections a victim to these attacks easily.


It would be interesting to note that Netcraft has been doing the same scan for the past three years and the HSTS usage level has surprisingly stayed almost stagnant which clearly indicates that the webmasters aren’t learning or that they just don’t care to set up HSTS properly. This is indeed alarming and the webmasters need to rectify this soon.

One of the easiest attack scenario on these servers is the HTTPS downgrade attack. During these attacks, attackers can use various methods to force a seemingly secure HTTPS connection using no encryption at all. They can even use a weaker certificate which can be attacked and broken later.

Even more surprisingly, among this 95% of the sites which don’t set up HSTS properly, many are that of banks and other financial institutions which handle a lot of financial operations every day.

It seems even more ironical considering the fact implementing HSTS is extremely easy. You can easily activate HSTS by just adding one line of code in your server configuration:

    Strict-Transport-Security: max-age=31536000;

This code tells the browser to access the contents only via HTTPS connections and it has a maximum keep-alive value of one year. This makes sure that even when the users type ‘http://’ prefix by themselves in the address bar, the browser will automatically convert the prefix to ‘https://’ at the server’s request, thus making it more immune to these attacks.