Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Attackers Can Hijack 95 Percent of All HTTPS Connections
#1
Supporting HSTS is easier than you'd think

Because server admins fail to properly set up HTTP Strict Transport Security (HSTS), a large amount of today's HTTPS traffic can be hijacked via trivial attacks.

HSTS is Web security policy supported by most of today's Web browsers. HSTS helps webmasters protect their service and their users against HTTPS downgrades, man-in-the-middle attacks, and cookie hijacking for HTTPS connections.

One in twenty HTTPS connections is in danger

According to a recent Netcraft study, 95% of all of today's servers running HTTPS either fail to set up HSTS or come with configuration errors that open server-client connections to the above-listed attack scenarios.

What's more interesting is the fact that Netcraft has been running the same scan for the past three years, and proper HSTS usage has remained at the same levels.

This shows that webmasters aren't learning or being told that they've set up HSTS in an incorrect manner or that they just don't care.

The easiest attack scenario against these insecure sites is the HTTPS downgrade attack, during which attackers can choose multiple methods of forcing a seemingly secure HTTPS connection into using no encryption at all or a weaker certificate that can be attacked and broken later on.

According to security researchers, among those 95% sites that have failed to set up HSTS, you can find a lot of banks and websites that handle financial operations.

You can activate HSTS by adding one line in your server config

What's more mind-boggling is that implementing HSTS is done by adding one single line of code to a server's configuration.

  
Code:
  Strict-Transport-Security: max-age=31536000;

This line makes the server tell browsers to access its content only via HTTPS connections, and it includes the maximum keep-alive value of one year.

When this setting is active, even if the user types in the "http://" prefix by hand in their URL bar, the browser will automatically change that to "https://" at the server's request.

SOURCE
Reply
#2
thanks for the post
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Ransomware attackers introduce new EDR killer to their arsenal dhruv2193 0 485 08-16-2024 , 03:17 PM
Last Post: dhruv2193
  Hackers Breach University of Manchester; School Says Attackers Likely Copied Data mrtrout 0 986 06-12-2023 , 10:39 PM
Last Post: mrtrout
  New macOS zero-day bug lets attackers run commands remotely mrtrout 0 793 09-21-2021 , 09:48 PM
Last Post: mrtrout
  61 percent of employees fail basic cybersecurity quiz Bjyda 0 1,096 04-13-2021 , 05:06 PM
Last Post: Bjyda
  SolarWinds Attackers Accessed DHS Secretary’s Emails — Report Bjyda 0 1,063 03-31-2021 , 09:38 PM
Last Post: Bjyda



Users browsing this thread: 1 Guest(s)