HTTPSWatch assigns every tracked site a rating approximating the quality of its HTTPS support. If a verified TLS connection cannot be established or no page can be loaded over TLS, the site is given the Bad rating. The Mediocre rating means a TLS connection can be established but there are quality issues with the site’s implementation of HTTPS (e.g. the HTTP site doesn’t redirect to HTTPS or the
Strict-Transport-Security header isn’t set). If everything looks good, a Good rating is given.
Many of the sites that receive a Mediocre rating are only missing the HTTP
Strict-Transport-Security header and have otherwise good HTTPS. The HSTS header is a vital component of helping visitors reach a website securely. Without HSTS, it is still possible for an attacker to intercept web traffic and prevent users from connecting over HTTPS. Thus, websites will not be rated Good unless they include HSTS.
Some sites which HTTPSWatch rates as Mediocre are actually unusable in a browser. This is mostly due to mixed content, which HTTPSWatch doesn’t always detect.
Aside from the basic hostname verification checks, HTTPSWatch doesn’t attempt to evaluate the quality of the TLS connection. However, the grade the SSL Labs server TLS testing tool assigns is provided for each site.
Obviously, it’s not practical to list every university or news site in the world. HTTPSWatch’s goal is to list several representative sites for each category. Usually these are the most popular sites, so HTTPS support on them affects the most users. The hope is that if the sites listed here have high quality HTTPS implementations, the others will follow. Each category should not exceed 20-30 sites.
There’s a lot of information on the web about this, which may be found by searching. Here are a few pointers:
HTTPSWatch was originally created by Benjamin Peterson. Contributors around the world now help maintain it.