HSTS Preloading is Ineffective as a Long-Term, Wide-Scale MITM-Prevention Solution: Results from Analyzing the 2013 - 2017 HSTS Preload List

TL;DR

This study analyzes the HSTS preload list from 2013 to 2017 and finds it ineffective as a long-term, large-scale solution for preventing man-in-the-middle attacks, especially in critical industries.

Contribution

It provides an empirical analysis of the deployment and acceptance of the HSTS preload list over several years, highlighting its limitations and industry adoption issues.

Findings

Low adoption in critical industries like Finance

Many entries are test sites or nonfunctional

Preload list deployment remains limited and ineffective

Abstract

HSTS (HTTP Strict Transport Security) serves to protect websites from certain attacks by allowing web servers to inform browsers that only secure HTTPS connections should be used. However, this still leaves the initial connection unsecured and vulnerable to man-in-the-middle attacks. The HSTS preload list, now supported by most major browsers, is an attempt to close this initial vulnerability. In this study, the researchers analyzed the HSTS preload list to see the status of its deployment and industry acceptance as of December 2017. The findings here show a bleak picture: adoption of the HSTS Preload List seem to be practically nil for essential industries like Finance, and a significant percentage of entries are test sites or nonfunctional.