HSTS Preloading is Ineffective as a Long-Term, Wide-Scale MITM-Prevention Solution: Results from Analyzing the 2013 - 2017 HSTS Preload List
This study highlights the failure of HSTS preloading as a security solution for protecting websites, particularly in essential sectors, indicating an incremental analysis of an existing method.
The researchers analyzed the HSTS preload list from 2013 to 2017 to assess its effectiveness in preventing man-in-the-middle attacks, finding that adoption was nearly nonexistent in critical industries like finance and many entries were test sites or nonfunctional.
HSTS (HTTP Strict Transport Security) serves to protect websites from certain attacks by allowing web servers to inform browsers that only secure HTTPS connections should be used. However, this still leaves the initial connection unsecured and vulnerable to man-in-the-middle attacks. The HSTS preload list, now supported by most major browsers, is an attempt to close this initial vulnerability. In this study, the researchers analyzed the HSTS preload list to see the status of its deployment and industry acceptance as of December 2017. The findings here show a bleak picture: adoption of the HSTS Preload List seem to be practically nil for essential industries like Finance, and a significant percentage of entries are test sites or nonfunctional.