How’s that migration to “HTTPS everywhere” going? With some Chrome browsers* now flagging insecure sites, there’s a lot of work still to do, according to security bods Troy Hunt and Scott Helme.

In particular, while some holdouts exist who haven’t applied HTTPS to their sites, many websites that people expect to be secure can be accessed insecurely because of HSTS (HTTP Strict Transport Security) configuration problems.

HSTS is a policy mechanism that allows a web server to enforce the use of TLS in browsers and other web agents. The cryptographic technology was designed to protect websites against protocol downgrade attacks and cookie hijacking.

What started as “a fun way to spend an afternoon” with coffee, Hunt told Vulture South today, turned into a week-long project documenting the many ways in which HSTS configurations can unintentionally leave pages unencrypted, even when sites can present their SSL certificates.

Read full news article on The Register