TLS stripping attacks expose sensitive web traffic by forcing secure HTTPS connections to fall back to unencrypted HTTP. At present, protection against these attacks relies on website operators explicitly opting into security by deploying mechanisms such as HTTP Strict Transport Security (HSTS) headers. These mechanisms have significant limitations: some are weak or difficult to configure, which raises the risk of misconfiguration and reduces practical adoption; others violate HTTP backward compatibility; at least one can even be abused to enable unintended user tracking. We introduce HSTS-Enforced, a mechanism that eliminates the remaining attack surface for TLS stripping while still allowing operators to securely specify that their websites need to be accessed over HTTP when necessary, thereby maintaining accessibility. To achieve this, we flip the current opt-in security model to an opt-out model: all connections default to HTTPS, and operators can explicitly opt out if their websites require HTTP using so-called HTTP-Required indicators. We propose two such HTTP-Required indicators: a new DNS record and an HTTP-Required Preload list. We evaluate HSTS-Enforced under multiple deployment scenarios, demonstrating that it blocks all practical TLS stripping attempts while maintaining compatibility for sites that require HTTP - without introducing overhead in the typical case. Finally, we outline a practical transition path to accelerate global adoption.

翻译：TLS剥离攻击通过强制安全的HTTPS连接回退至未加密的HTTP，从而暴露敏感网络流量。当前针对此类攻击的防护措施依赖于网站运营者主动启用安全机制，例如部署HTTP严格传输安全（HSTS）标头。然而这些机制存在显著局限性：部分机制过于薄弱或配置困难，增加了配置错误风险并降低了实际采用率；另一些机制违反HTTP向后兼容性；至少有一种机制甚至可能被滥用以实现非预期的用户追踪。我们提出HSTS-Enforced机制，该机制在消除TLS剥离攻击剩余攻击面的同时，允许运营者安全指定其网站在必要时通过HTTP访问，从而维持可访问性。为实现此目标，我们将当前的"选择加入"安全模型转变为"选择退出"模型：所有连接默认采用HTTPS，运营者仅可在其网站需要HTTP时通过所谓的"HTTP-Required"指示器明确退出加密连接。我们提出两种HTTP-Required指示器：新型DNS记录与HTTP-Required预加载列表。我们在多种部署场景下评估HSTS-Enforced，证明该机制能阻断所有实际可行的TLS剥离攻击，同时保持对需要HTTP协议站点的兼容性——且未在典型使用场景中引入额外开销。最后，我们提出加速全球部署的实用过渡路径。