About HTTPSWatch

Ratings

HTTPSWatch assigns every tracked site a rating approximating the quality of its HTTPS support. If a verified TLS connection cannot be established or no page can be loaded over TLS, the site is given the Bad rating. The Mediocre rating means a TLS connection can be established but there are quality issues with the site’s implementation of HTTPS (e.g. the HTTP site doesn’t redirect to HTTPS or the Strict-Transport-Security header isn’t set). If everything looks good, a Good rating is given.

Many of the sites that receive a Mediocre rating are only missing the HTTP Strict-Transport-Security header and have otherwise good HTTPS. The HSTS header is a vital component of helping visitors reach a website securely. Without HSTS, it is still possible for an attacker to intercept web traffic and prevent users from connecting over HTTPS. Thus, websites will not be rated Good unless they include HSTS.

Limitations

Some sites which HTTPSWatch rates as Mediocre are actually unusable in a browser. This is mostly due to mixed content, which HTTPSWatch doesn’t always detect.

Aside from the basic hostname verification checks, HTTPSWatch doesn’t attempt to evaluate the quality of the TLS connection. However, the grade the SSL Labs server TLS testing tool assigns is provided for each site.

Site Curation

Obviously, it’s not practical to list every university or news site in the world. HTTPSWatch’s goal is to list several representative sites for each category. Usually these are the most popular sites, so HTTPS support on them affects the most users. The hope is that if the sites listed here have high quality HTTPS implementations, the others will follow. Each category should not exceed 20-30 sites.

How to Properly Setup HTTPS

There’s a lot of information on the web about this, which may be found by searching. Here are a few pointers:

Code

The code is available on GitHub and pull requests are welcome. Join us on Freenode’s #httpswatch channel for discussion.

Credits

HTTPSWatch was originally created by Benjamin Peterson. Contributors around the world now help maintain it.

We’re grateful to Qualys and Ivan Ristić for providing the excellent SSL Server Test and allowing us to include its results on HTTPSWatch.

HTTPSWatch was inspired by Alex Gaynor’s blog posts about news sites’ HTTPS support.