Aussie corporate and government websites with poor HTTPS redirects outed

Security researchers Troy Hunt and Scott Helme have published a list of the largest websites by country that are not redirecting HTTP requests to a more secure HTTPS connection.

The list, maintained at WhyNoHTTPS.com, names sites by the ABC, Bureau of Meteorology, AFL, Home Affairs and Immigration among the top local sites that load “over an insecure connection without redirecting to a secure, encrypted connection.”

Apart from government sites, Australian university-run sites also rank poorly in terms of HTTPS implementations.

The creation of the list coincides with Google shipping Chrome 68 which marks all HTTP sites as “not secure” - part of a long-term drive by Google to stamp out unencrypted web connections.

Hunt said in a blog post that he wanted to know which site owners had not heeded months of warnings from Google and others to serve traffic via the more secure HTTPS protocol.

“After all the advanced warnings combined with all we know to be bad about serving even static sites over HTTP, what sort of sites are left that are neglecting such a fundamental security and privacy basic? I wanted to find out,” he said.

The site reuses a portion of data collected by Helme on whether top ranking sites redirect any insecure requests (made over HTTP) to the secure HTTPS scheme.

One important thing to note is that WhyNoHTTPS.com lists sites that inconsistently redirect non-secure requests to an HTTPS site.

Home Affairs’ implementation of HTTPS fell into this category, with the success of the redirect varying user by user.

Hunt said that anomalies in the way different sites redirected insecure requests caused problems for the researchers in determining how to categorise them.

However, they ultimately decided that “if a site isn't doing HTTPS consistently right, then it may end up on the list and if you're responsible for one of those, the best way to get it off the list is to always redirect insecure requests to secure ones under all circumstances.”

Hunt said the intention is to continue to update the WhyNoHTTPS.com list on a regular cadence.

“That's still the plan, but it's not happening yet,” he said.

He hoped the exercise would put pressure on the named sites “to get their HTTPS things in order”.

“I really want to see the ‘reformed’ sites drop off,” he said, adding that the eventual goal is to have any sites shamed on the list to only be poorly ranked ones anyway.

The publishing of the list resulted in a large number of requests from site owners for manual rechecks of their HTTPS implementations.

Hunt said via Twitter that any sites that had been fixed would be recognised when the underlying data is next updated.

Not all Australian government sites were caught out by the Chrome change. Parts of the government had used the Chrome update as an excuse to improve website security practices.