Attackers Can Hijack 95 Percent of All HTTPS Connections

Exterminator

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Content source
http://news.softpedia.com/news/attackers-can-hijack-95-percent-of-all-https-connections-501924.shtml
Because server admins fail to properly set up HTTP Strict Transport Security (HSTS), a large amount of today's HTTPS traffic can be hijacked via trivial attacks.

HSTS is Web security policy supported by most of today's Web browsers. HSTS helps webmasters protect their service and their users against HTTPS downgrades, man-in-the-middle attacks, and cookie hijacking for HTTPS connections.

One in twenty HTTPS connections is in danger
According to a recent Netcraft study, 95% of all of today's servers running HTTPS either fail to set up HSTS or come with configuration errors that open server-client connections to the above-listed attack scenarios.

What's more interesting is the fact that Netcraft has been running the same scan for the past three years, and proper HSTS usage has remained at the same levels.

This shows that webmasters aren't learning or being told that they've set up HSTS in an incorrect manner or that they just don't care.

The easiest attack scenario against these insecure sites is the HTTPS downgrade attack, during which attackers can choose multiple methods of forcing a seemingly secure HTTPS connection into using no encryption at all or a weaker certificate that can be attacked and broken later on.

According to security researchers, among those 95% sites that have failed to set up HSTS, you can find a lot of banks and websites that handle financial operations.

You can activate HSTS by adding one line in your server config
What's more mind-boggling is that implementing HSTS is done by adding one single line of code to a server's configuration.

Strict-Transport-Security: max-age=31536000;
This line makes the server tell browsers to access its content only via HTTPS connections, and it includes the maximum keep-alive value of one year.

When this setting is active, even if the user types in the "http://" prefix by hand in their URL bar, the browser will automatically change that to "https://" at the server's request.
Click to expand...
 
  • Like
Reactions: Noxx and harlan4096
H

hjlbx

"Most of the effective defences against MITM can be found only on router or server-side. You won’t be having any dedicated control over the security of your transaction."

Source: The Windows Club

There is little a home user can do to protect against some network attacks; it is the server Admin that can only ensure stronger protection.
 
XhenEd

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
I hope this will be minimized through http/2 implementation. :)
 
M

Morvotron

Level 7
Verified
Mar 24, 2015
307
Guys in charge of big data centers or servers should really recieve the necessary training to avoid this kind of stuff. They usually leave it very easy..
 
You must log in or register to reply here.

Similar threads

M
Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters
Replies
1
Views
130
Microsoft Defender
Bot
Bot
CyberTech
    • +Reputation
    • Like
Atlassian warns of exploit for Confluence data wiping bug, get patching
Replies
0
Views
645
News Archive
CyberTech
CyberTech
silversurfer
    • Like
    • +Reputation
Researchers Link DragonEgg Android Spyware to LightSpy iOS Surveillanceware
Replies
0
Views
1,141
News Archive
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top