Because server admins fail to properly set up HTTP Strict Transport Security (HSTS), a large amount of today's HTTPS traffic can be hijacked via trivial attacks.
HSTS is Web security policy supported by most of today's Web browsers. HSTS helps webmasters protect their service and their users against HTTPS downgrades, man-in-the-middle attacks, and cookie hijacking for HTTPS connections.
One in twenty HTTPS connections is in danger
According to a recent
Netcraft study, 95% of all of today's servers running HTTPS either fail to set up HSTS or come with configuration errors that open server-client connections to the above-listed attack scenarios.
What's more interesting is the fact that Netcraft has been running the same scan for the past three years, and proper HSTS usage has remained at the same levels.
This shows that webmasters aren't learning or being told that they've set up HSTS in an incorrect manner or that they just don't care.
