A terrifying number of big-name websites are not secure -- is yours?
There has been a long-standing movement trying to make the web a safer place. For some time, Google's Chrome browser has alerted people when they are visiting secure sites, but with the launch of Chrome 68, it instead warns when an insecure site is encountered.
As we warned just a couple of days ago, the latest update to Chrome means you're likely to see warnings about a lot of insecure sites -- and there are some big-name sites being shamed. Included on the non-HTTPS list are some of Google's own sites, the BBC, the Daily Mail and Fox News. And there are plenty of other recognizable offenders too, as Why No HTTPS? reveals.
See also:
- Brace yourself for a slew of security warnings from Chrome
- Chrome's RAM usage is higher than ever as Google introduces Site Isolation to fight Spectre
- Google doubles down on Chrome extension security by blocking inline installations
Working with security researcher Scott Helme, Microsoft MVP and security expert Troy Hunt has created Why No HTTPS?, a site that lists those do not automatically redirect to a secure version. The statistics are more than a little worrying -- an incredible 20 percent of the most popular sites in the world are not secure by default.
Ahead of the launch of Chrome 68, Cloudflare pointed out that more than half of the top one million sites fail to push visitors to an HTTPS version:
The majority of the Internet’s top 1M most popular sites will show up as “Not Secure” in @GoogleChrome starting July 24th. Make sure your site redirects to #HTTPS, so you don’t have the same problem. @Cloudflare makes it easy! #SecureOnChrome https://t.co/G2a0gi2aM8 pic.twitter.com/r2HWkfRofW
— Cloudflare (@Cloudflare) July 23, 2018
Take a look through the list of insecure sites presented on Why No HTTPS? and you'll notice that a lot of them are based in China -- but certainly not all of them. There are lots of popular sites from the US, the UK, India and Australia that put their visitors at risk.
With it now easier and cheaper than ever to offer HTTPS sites, there's really very little excuse for not doing so. Maybe Chrome's flagging up of insecure sites coupled with Why No HTTPS?'s naming and shaming will encourage more to take security seriously.
Have you noticed any big sites that fail to make the grade?