HTTPS Watch

The current ratings seem too simplistic and strict. I think a better rating system would be:<p>1. None. Not listening on https.<p>2. Bad. Invalid cert or broken cipher suites.<p>3. Ok. Valid cert and good cipher suites, but no redirection to https.<p>4. Good. Http redirects to https.<p>5. Great. Redirects to https and sets HSTS header.<p>6. Amazing. In browser HSTS preload lists.<p>It may make sense to change the criteria as sites improve, but that list seems sane today. I&#x27;d also recommend using letter grades (A+, A, B, C, D, F), but that might cause confusion with SSL Labs[1].<p>1. <a href="https://www.ssllabs.com/ssltest/" rel="nofollow">https:&#x2F;&#x2F;www.ssllabs.com&#x2F;ssltest&#x2F;</a>

I was looking forward to a smartwatch that somehow made use of https. Now I feel like an idiot.

I would love to see a list of financial institutions included. I checked www.bankofamerica.com and secure.bankofamerica.com on SSL labs found both to have identical (B-grade) security.

I think this is a really good idea. I mean, today to most people the measure of whether or not a site is “secure” is just whether or not the lock icon displays when they’re browsing.<p>An actual “public shaming” of sites with bad security is probably all that’s effective at this point.

Is there a search engine which returns only results which themselves use https?

I&#x27;m curious why this lists but few of the Alexa top 10, such as Google, Yahoo!, Facebook, Twitter, and others. The first two are mega-sites and only the root domain would count most likely, but social sites constitute a lot of communication. (Even better would be to say whether app connections are secure, such as knowing whether Snapchat connections are over TLS or not, though that&#x27;s probably out of scope.)

NZ version: <a href="https://httpswatch.nz/" rel="nofollow">https:&#x2F;&#x2F;httpswatch.nz&#x2F;</a>

I always find it slightly weird, when reading Snowden-related articles and looking at the NSA PDFs on Der Spiegel, that they don&#x27;t use HTTPS (and even actively, permanently redirect to HTTP).

would also like to recommend my friend who runs a similar product (I have no affiliation):<p><a href="http://sslswitch.com/" rel="nofollow">http:&#x2F;&#x2F;sslswitch.com&#x2F;</a>

&gt;&quot;If a verified TLS connection cannot be established or no page can be loaded over TLS, the site is given the Bad rating.&quot;<p>So, bad = none.

Where is the line item for &quot;prevents downgrade of HTTPS connections to vulnerable protocols&quot;?

For someone who doesn&#x27;t get it, why do you need https on websites that just show you some text?

Is it protocol at this point to always redirect from HTTP to HTTPS? Is there an RFC for that?

Forcing a HTTP to HTTPS redirect is a really bad behaviour.

Healthcare.gov being an example to the rest... go figure.

I don&#x27;t suppose we should be checking the pages that should actually be secure. IE Ubuntu is listed as bad, why not check their login page? <a href="https://login.launchpad.net/" rel="nofollow">https:&#x2F;&#x2F;login.launchpad.net&#x2F;</a> or launchpad.net. Perhaps once <a href="https://letsencrypt.org/" rel="nofollow">https:&#x2F;&#x2F;letsencrypt.org&#x2F;</a> comes available it will be worth the extra effort to encrypt everything. In the interim it&#x27;s most likely a waste of funds, especially for projects that operate on donations.<p>Edit: I was surprised to see the WSJ listed as Bad. Checking their login form, something that should be encrypted, the post goes to... <a href="https://id.wsj.com" rel="nofollow">https:&#x2F;&#x2F;id.wsj.com</a> a secure page. I wont go through the entire list, but I expect most of the ones in this list have a similar configuration.