This website names and shames websites that don't use HTTPS

A new service built by Troy Hunt, information security consultant and founder of haveibeenpwned, with data from Scott Helme, also an information security consultant, lists popular websites from across the world (by country) that load over an insecure connection without redirecting to a secure, encrypted connection. Aptly named "Why No HTTPS?", the website lists some South African universities and a government online services in Kenya as one of the many culprits.

Why No HTTPS? uses Amazon Alexa's rankings to list the top 50 websites sites in each country that don't use HTTPS.

"HTTPS is now free, easy and increasingly ubiquitous. It's also now required if you don't want Google Chrome flagging the site as 'Not secure'. Yet still, many of the world's largest websites continue to serve content over unencrypted connections, putting users at risk even when no sensitive data is involved."

Some of the culprits not using HTTPS in Afrika

What is of concern is how some well known and popular websites across Afrika haven't implemented HTTPS. This is no great surprise considering that it was also only a few weeks ago that one of South Africa's large financial institutions, Liberty, started using HTTPS.

Here is a list of some of the websites in Afrika that caught our attention:

South Africa

  • unisa.ac.za
  • wits.ac.za
  • uct.ac.za
  • telkom.co.za
  • ewn.co.za

Kenya

  • ecitizen.go.ke
  • kra.go.ke
  • uonbi.ac.ke
  • strathmore.edu
  • telkom.co.ke

Nigeria

  • nairaland.com
  • saharareporters.com
  • punchng.com
  • dailypost.ng
  • swiftng.com

Zimbabwe

  • msu.ac.zw
  • nehandaradio.com
  • openparly.co.zw
  • zbc.co.zw
  • rbz.co.zw

"I know the data we've collated on this website will cause questions to be asked, suggestions to be made and inevitably, amendments to be requested. Use the comments section below, I'm sure many people will have good ideas around how we can make this data more useful and ultimately, help accelerate the push to a secure by default web. For now, a site is only going to drop off the list if it does HTTPS correctly when the crawler next comes by and I update the site, but I'll manually amend any incorrect country definitions if people spot obvious faults and have the correct values available for me to load," said Hunt on a blog post announcing the launch of Why No HTTPS?.

Comments