Even with HSTS enabled on a website, there is still a small opportunity for attacks when the browser visits the website for the first time and doesn't have an HSTS policy saved for it . At that point an attacker could block it from reaching the HTTPS version of the site and could force the connection to use HTTP.
In order to address this, browsers such as Chrome and Firefox come with pre-loaded lists of popular websites for which HSTS is enforced by default.
According to SSL Pulse, a project that monitors HTTPS implementations on the world's most visited websites, only around 1,700 out of the top 180,000 HTTPS-enabled websites support HSTS.
In addition to the overall HSTS adoption rate being low, some of the websites that do support the feature have implementation issues, Ristic said.
For example, some of them specify a very short validity period -- also known as the time to live -- for their HSTS policies. For HSTS to be useful these records should be valid for days, if not months, he said.
Ristic doesn't believe that HSTS becoming an official standard will necessarily drive adoption numbers up. Website operators have traditionally been opportunistic and have implemented whatever worked for them, regardless of whether it was a standard or not, he said.
"I think the biggest problem with HSTS is education," Ristic said. "People need to learn that it exists."
Popular websites that support HSTS at the moment include PayPal, Twitter and various Google services. Facebook is in the process of deploying always-on HTTPS across its website, but doesn't support HSTS yet.