A shame-list of popular or important websites which have not yet deployed HTTPS certificates by default.
Sites which may involve the transmission of very sensitive data, such as health or banking information, are marked with an ❗ to signal they should deploy HTTPS-by-default as soon as possible. If you are a popular website (such as those on the Alexa Top 500 Global Sites) which finds itself on this list - and you want to be removed - you can visit Let's Encrypt about transitioning to HTTPS. It's easy, free, and will help you learn how to protect your customers/ readers!
List now outdated, removed until further notice.
Q: What is HTTPS?
HTTPS, or HyperText Transfer Protocol (HTTP) + Secure Sockets Layer (SSL), is a TCP/IP protocol used by web servers to securely transfer and display content over the internet. While traditionally used mostly for websites hosting online transactions and customer banking data, HTTPS is now being deployed across a wide variety of websites even if no such sensitive data is involved, mainly for authentication purposes. HTTP is less secure as it transmits data as unencrypted plaintext, which can be viewed by anyone spying on the network traffic and is also vulnerable to a variety of malicious attacks.
Q: How do I connect to sites through HTTPS?
Initiatives like HTTPS Everywhere are trying to increase the ubiquity of HTTPS deployment. It works by automatically sending a request telling websites to activate that security feature if they've made it available. However if the site does not support HTTPS at all, the plugin can't create an HTTPS connection -- you will have to use the insecure HTTP version. Some sites may support HTTPS only on certain pages, establish redirects from HTTP to their HTTPS version, or only for text and not images. Also, be aware that the content or design of a website may be different depending on whether you're accessing it over HTTP or HTTPS.
Q: How can you tell if a website is HTTPS or HTTP?
If you install the HTTPS Everywhere browser plugin, you can set it to
Block all HTTP requests
, which will prevent you from visiting a site or webpage which does not support HTTPS. Or you can simply look at the lock icon next to the web address, which most browsers support.
A more expansive list of HTTPS implementation (or lack thereof) for U.S. government websites, per agency, can be found at Pulse. Steve wrote a few scripts to query the Alex Top 500, including a Python script to find pure-HTTP sites.
Want to help? Tweet HTTP sites @J9Roem with the hashtag #HTTPshame or via email to [email protected]!
Tried www.reuters.com today and it always seems to route to the https site - list needs an update?
Ideally this list should be updated automatically with a routinely run checking tool, static outdated lists like this can do more harm than good..
Suggest using the Google supplied lighthouse tool to do verifications.. https://developers.google.com/web/tools/lighthouse/
As for the sites to check, I guess Alexa is a good resource, otherwise whatever you consider important
Running as scheduled node app and posting a gist update would be a useful automated check in point for people..