The post Different Encryption Techniques in Java by @dhiraj825 opened with:
95% of HTTPS servers are vulnerable to trivial ( Man In the Middle Attack ) attacks.
I didn't want to hijack the whole post discussing this irrelevant line, so here's a separate topic about it.
I Googled this and it's indeed widely reported, but many of the posts are lacking in technical detail. What I think it comes down to is only 5% of sites in 2016ish sending HTTP Strict Transport Security headers.
If that's the case, do you feel it's fair to make the claim that
The way I understand HSTS, the first request is still insecure (ignoring addons and browser features that weren't standard in 2016). And an active MITM could strip the headers and keep the connection insecure. The window of opportunity is smaller, but it's there.
So, HSTS is great. But in my understanding, with or without HSTS, there's a http request happening sometime that can be hijacked. Therefore I claim that either all HTTPS sites are secure, or none are.
Am I wrong?
The line 95% is irrelevant for 2019. But there are many websites still using HTTPS with TLS 1.0 and it is insecure as BEAST attack and Lucky13 attack are evident with TLSv1.0.
Sébastien Portebois
Software architect at Ubisoft
You’re right, and that’s why HSTS preload-list has been started: to avoid that very first request in the first place.
But HSTS can be tricky to put in place (I love the feature, but don’t make any mistake otherwise it could be a nice way to shoot yourself in the shoe if for some reason some part of the site still need plain http) I believe the focus on that very first request hijack can be greatly mitigated by using safer DNS. e.g. , as a user, I feel more confident using DNSSEC and visiting https website without HSTS, rather than visiting few websites with old plain DNS which could be spoofed (in the same scenario of a MITM being able to act)