Makerere University

Enter a keyword or two into the search box above and click search..

95% of HTTPS Servers Vulnerable to Trivial Connection Hijacking

You are here

95% of HTTPS Servers Vulnerable to Trivial Connection Hijacking
With just 5 percent of web servers correctly implementing HTTP Strict Transport Security (HSTS), the remaining 95 percent are vulnerable to trivial connection hijacking attacks, research shows.

As Netcraft’s Paul Mutton explained in a recent blog post, these vulnerabilities can be exploited in phishing, pharming and man-in-the-middle (MiTM) attacks when a user unintentionally attempts to access a secure site via HTTP, meaning that the attacker does not have to spoof a valid TLS certificate to be successful. These attacks are easier to be carried out compared to those targeting TLS, such as the DROWN attack.

TLS certificates allow browsers to verify that they communicate with the correct websites, thus making it difficult to hijack the connection. MiTM attacks against HTTPS services are difficult to carry out because the attacker can’t easily obtain a valid certificate for a domain they do not control and the victim receives a warning message from the browser if an invalid certificate is used.

For more on the following story read; 95% of HTTPS Servers Vulnerable to Trivial Connection Hijacking

Category: