Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
A shame-list of popular websites which have not yet deployed HTTPS certificates

HTTPS vs HTTP

HTTPShame

A shame-list of popular or important websites which have not yet deployed HTTPS certificates by default.

Sites which may involve the transmission of very sensitive data, such as health or banking information, are marked with an ❗️ to signal they should deploy HTTPS-by-default as soon as possible. If you are a popular website (such as those on the Alexa Top 500 Global Sites) which finds itself on this list - and you want to be removed - you can visit Let's Encrypt about transitioning to HTTPS. It's easy, free, and will help you learn how to protect your customers/ readers!

List now outdated, removed until further notice.

Q: What is HTTPS?

HTTPS, or HyperText Transfer Protocol (HTTP) + Secure Sockets Layer (SSL), is a TCP/IP protocol used by web servers to securely transfer and display content over the internet. While traditionally used mostly for websites hosting online transactions and customer banking data, HTTPS is now being deployed across a wide variety of websites even if no such sensitive data is involved, mainly for authentication purposes. HTTP is less secure as it transmits data as unencrypted plaintext, which can be viewed by anyone spying on the network traffic and is also vulnerable to a variety of malicious attacks.

Q: How do I connect to sites through HTTPS?

Initiatives like HTTPS Everywhere are trying to increase the ubiquity of HTTPS deployment. It works by automatically sending a request telling websites to activate that security feature if they've made it available. However if the site does not support HTTPS at all, the plugin can't create an HTTPS connection -- you will have to use the insecure HTTP version. Some sites may support HTTPS only on certain pages, establish redirects from HTTP to their HTTPS version, or only for text and not images. Also, be aware that the content or design of a website may be different depending on whether you're accessing it over HTTP or HTTPS.

Q: How can you tell if a website is HTTPS or HTTP?

If you install the HTTPS Everywhere browser plugin, you can set it to Block all HTTP requests, which will prevent you from visiting a site or webpage which does not support HTTPS. Or you can simply look at the lock icon next to the web address, which most browsers support.

A more expansive list of HTTPS implementation (or lack thereof) for U.S. government websites, per agency, can be found at Pulse. Steve wrote a few scripts to query the Alex Top 500, including a Python script to find pure-HTTP sites.

HTTPS secure

Want to help? Tweet HTTP sites @J9Roem with the hashtag #HTTPshame or via email to einzelgaengerin@tutanota.de! Donate: 1PytMk24QZB147N9oW1jA6AhAoSsyqLhkB

@elvey

This comment has been minimized.

Copy link

commented Oct 5, 2016

Cool site. One could import or incorporate by reference: https://pulse.cio.gov/data/domains/https.csv which is a list of US Federal Government sites and whether or not they're doing HTTPS by default, at all, etc. Quite similar to HTTPShame!

@Enegnei

This comment has been minimized.

Copy link
Owner Author

commented Oct 6, 2016

Thanks! I will add them.

@andrewnicolalde

This comment has been minimized.

Copy link

commented Dec 24, 2017

Amazon now uses HTTPS on every website they operate.

@robertg1

This comment has been minimized.

Copy link

commented Feb 22, 2018

all the "coin" websites are now https

@robertg1

This comment has been minimized.

Copy link

commented Feb 22, 2018

@bichotll

This comment has been minimized.

Copy link

commented Mar 9, 2018

The list should be updated as many already use https

@vuongggggg

This comment has been minimized.

Copy link

commented Mar 25, 2018

Aliexpress has updated HTTPS

@GhostFace0621

This comment has been minimized.

Copy link

commented Mar 25, 2018

I just went to Amazon to check if they support HTTPS and I can confirm that they do in fact support it even if you're not checking out.
capture

EDIT
Actually, I just checked a whole bunch of these websites that you guys posted. This list needs to be updated lol.

@rriemann

This comment has been minimized.

Copy link

commented Apr 19, 2018

Yes, many pages have https now. Cannot we have a script checking it for us? Curl could do the job I guess.

@Moirraine1

This comment has been minimized.

Copy link

commented May 17, 2018

This list needs to be updated, many that weren't, now are secure.

@WuerfelDev

This comment has been minimized.

Copy link

commented Jun 23, 2018

Shame that https://tools.pingdom.com/ gives grade F for redirecting to https
image

@maximousblk

This comment has been minimized.

Copy link

commented Jun 26, 2018

UPDATE YOUR LIST

Even pornhub is now https secure!

@ianbarnett8

This comment has been minimized.

Copy link

commented Jul 8, 2018

Tried www.reuters.com today and it always seems to route to the https site - list needs an update?
Ideally this list should be updated automatically with a routinely run checking tool, static outdated lists like this can do more harm than good..

Suggest using the Google supplied lighthouse tool to do verifications.. https://developers.google.com/web/tools/lighthouse/
As for the sites to check, I guess Alexa is a good resource, otherwise whatever you consider important
Running as scheduled node app and posting a gist update would be a useful automated check in point for people..

@connect192168

This comment has been minimized.

Copy link

commented Jul 31, 2018

suggested update for the list:

Just link to https://whynohttps.com/

It shows an up-to-date list of the most popular sites (according to alexa internet ranking) that don't have https.
The site gets updated at least twice every 24 hours (not sure exactly how often it does get updated, but I know it's at least that often).

@ghost

This comment has been minimized.

Copy link

commented Dec 20, 2018

The purpose of HTTPS connections is to encrypt dynamic pages where user data is transmitted between the server and the client. Static web pages that do not transmit, request nor display any kind of user data should not be forced to use encryption, because it is NOT necessary! It is stupid. Forcing websites to use HTTPS is like forcing all drivers to put chain on their tires even in countries that never have snow or freezing just because some dictator came up with an idea that all cars MUST have chains on their tires.

HTTPS IS NOT ALWAYS NECESSARY. COMPRENDE?

@ghost

This comment has been minimized.

Copy link

commented Dec 20, 2018

I would appreciate if the designers of GitHub, instead of saying, "Please note that GitHub no longer supports your web browser. We recommend upgrading to the latest Google Chrome or Firefox" would instead learn how to create a good website, one that is compatible with all browsers. I am sure this website, like others, includes bells and whistles nobody cares about, but they make many people unable to use the site. So far it is operating fine on Google Chrome 45, but I would appreciate if that browser warning would go away at the top. No, I am not going to upgrade my browser. Stop asking me. You either learn to make a website that is compatible with my browser, or I'll stop using this site entirely. It's up to you.

@Luxcium

This comment has been minimized.

Copy link

commented Apr 10, 2019

@notedrop37 it's not because one believes the earth is flat that they can't rely on the GPS system... ask @kaycebasques he will probably say that all websites should be protected with HTTPS, even if they don’t handle sensitive communications. Aside from providing critical security and data integrity for both any websites and their users' personal information, HTTPS is a requirement for many new browser features.

TL;DR:

  • Intruders both malignant and benign exploit every unprotected resource between websites and users.
  • Many intruders look at aggregate behaviours to identify users.
  • HTTPS doesn't just block misuse of your website. It's also a requirement for many cutting-edge features and an enabling technology for app-like capabilities such as service workers.

Source: Why HTTPS Matters
By: Kayce Basques
Technical Writer, Chrome DevTools & Lighthouse

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.